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INFORMATION SYSTEMS AUDITS 


Information Systems (IS) audits conducted by the Legislative 
Audit Division are designed to assess controls in an IS 
environment. IS controls provide assurance over the accuracy, 
reliability, and integrity of the information processed. From 
the audit work, a determination is made as to whether controls 
exist and are operating as designed. We conducted this IS audit 
in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our 
audit objectives. We believe that the evidence obtained provides 
a reasonable basis for our finding and conclusions based on our 
audit objectives. Members of the IS audit staff hold degrees in 
disciplines appropriate to the audit process. 


IS audits are performed as stand-alone audits of IS controls or 
in conjunction with financial-compliance and/or performance 
audits conducted by the office. These audits are done under 
the oversight of the Legislative Audit Committee, which is a 
bicameral and bipartisan standing committee of the Montana 
Legislature. The committee consists of six members of the Senate 
and six members of the House of Representatives. 
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‘The Legislative Audit Committee 
of the Montana State Legislature: 


This is our information systems audit of Montana Prescription Drug Registry managed 
by the Board of Pharmacy which is administratively attached to the Department of 
Labor and Industry. 


This report provides the legislature information about improving management and 
increasing security over the registry. It discusses establishing procedures, increasing 
system functionality, and clarifying responsibilities. It also includes recommendations 
for improving data reliability and addressing misuse and diversion of prescription 
drugs in Montana. Finally, it discusses analyzing resources and actively using the 
advisory group moving forward. A written response from the department is included 
at the end of the report. 


We wish to express our appreciation to the board and department personnel for their 
cooperation and assistance during the audit. 


Respectfully submitted, 
/s/ Angus Maciver 


Angus Maciver 
Legislative Auditor 


Room 160 ¢ State Capitol Building * PO Box 201705 * Helena, MT * 59620-1705 
Phone (406) 444-3122 * FAX (406) 444-9784 * E-Mail lad@mt.gov 
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JUNE 2019 18DP-01 REPORT SUMMARY 


The Montana Prescription Drug Registry (MPDR) tracks prescribed and 
dispensed medications within Montana or to its residents. This allows 
Montana prescribers and pharmacists to search patient medial history for 
controlled substances. MPDR is administered by the Board of Pharmacy 
and is a tool for prescribers to improve patient care and safety. The registry 
can also be used to identify potential misuse or diversion of prescription 
medications. Roughly $1.8 million has been spent on the registry since 2012. 
However, significant improvement is needed related to registry oversight and 
maintenance, data reliability, and effective analysis of prescription data to 
identify potential misuses or diversion of prescribed medications. The Board 
of Pharmacy needs to play a more active role in these efforts to achieve the 


intent of the registry. 





Context 


The Board of Pharmacy (board) is responsible 
for ensuring pharmacies and pharmacists are 
practicing within law and rule. The board 
is also responsible for the governance of the 
Montana Prescription Drug Registry (MPDR) 
and ensuring pharmacies properly report 
prescription drug data to the registry. MPDR 
was authorized by the Montana Legislature 
in 2011 (§37-7-15, MCA) and it became 
functional in November 2012. The registry 
serves as an online tool providing a list of 
dispensed controlled substance prescriptions to 
prescribers and pharmacists to improve patient 
care and safety. This includes using information 
to identify potentially inappropriate dispensing 
and prescribing of prescription medications, 
which is known as misuse and diversion. 


MPDR contains personal health information 
(PHI), which is protected by the Health 
Insurance Portability and Accountability Act 
(HIPAA). Information includes patient names, 
prescriber information, pharmacy information, 
and prescription history. Medical professionals 


and pharmacists register to access this 
information and can search patient history to 
review past prescriptions for suspicious activity 
or to verify current prescriptions. 


The registry is primarily funded through 
prescriber and pharmacist license fees. 
Previously, the board received federal grant 
money to further expand the registry and its 
capabilities. However, the board did not receive 
grant dollars after 2017 and has since been 
relying on license fees to maintain the registry. 


‘The board has dedicated one full-time position 
responsible for managing the  registry’s 
day-to-day functions. According to the position 
description, it handles system development and 
testing, security, and data. Our audit work 
focused on high risk management areas specific 
to MPDR including contract and system 
management, security, data integrity, and the 
extent data is used to identify possible misuse 
or diversion of prescription medications. 


(continued on back) 
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Results 


Based on our work, we identified that since the 
legislature assigned registry management to 
the board of pharmacy, further planning and 
direction have not been pursued to identify 
the resources needed to maintain MPDR and 
effectively use the data within the registry 
for patient safety. Our work identified best 
practices and state and federal requirements 
that are not being met. Our audit recommends 
the following improvements: 


oa 


Developing a security plan and 
user management procedures to 
ensure personal health information 
maintained in MPDR is secure. 


Enhancing MPDR data integrity and 
reliability to better address prescription 
misuse and diversion, and the overall 
usefulness of the registry. 


Prioritizing project and contract 
management over MPDR to ensure 
the registry is properly operational. 


Analyzing and _ soliciting shared 
resources for project, contract, and 
security management. 


Recommendation Concurrence 


Source: Agency audit response included in 
final report. 





For a complete copy of the report (18DP-01) or for further information, contact the 
Legislative Audit Division at 406-444-3122; e-mail to lad@mt.govy; or check the web site at 


https://leg.mt.gov/lad/audit-reports 
Report Fraud, Waste, and Abuse to the Legislative Auditor's FRAUD HOTLINE 


Call toll-free 1-800-222-4446, or e-mail LADHotline@mt.gov. 





Chapter | — Introduction and Background 


Introduction 


The Montana Department of Public Health and Human Services reported drug 
overdose deaths are on the rise nationally and that it is the third leading cause of 
injury-related deaths in Montana. However, in Montana the number of related 
prescription drug overdose deaths is decreasing. According to the National Institute 
on Drug Abuse, Montana saw a rate of 4.2 deaths per 100,000 persons in 2016. While 
this is down from a high of 9.4 per 100,000 persons in 2006, there were still 42 opioid- 
related overdose deaths in Montana in 2016. Furthermore, Montana is still dealing 
with a significant rate of drug addiction. According to the Montana Department of 
Justice, 1 in 10 Montanans were dependent on or abusing drugs, including prescription 
medications, in 2017. 


The Montana Prescription Drug Registry (MPDR) was authorized by the Montana 
Legislature in 2011 (§37-7-15, MCA) and became functional in November 2012. It 
serves as an online tool to provide a list of controlled substance prescriptions to health 
care providers, and help improve patient care and safety. MPDR is the only source 
of consolidated prescription drug dispensing data within the state, so it also acts as a 
powerful tool to help identify cases in which prescription medications are potentially 
being misused or inappropriately dispensed to the public. 


Background 

Chapter 241 of the 2011 Legislative Session created the prescription drug registry. 
Initially, MPDR was to be administered by the Department of Justice (DO)). 
However, because of privacy concerns surrounding personal health information (PHI), 
the registry oversight was instead allocated to the Board of Pharmacy (board). ‘The bill 
created a set of statutes that required the board to establish and maintain a prescription 
drug registry for the purpose of improving patient safety. This includes electronically 
collecting information on prescription drug orders involving controlled substances, 
protecting confidentiality of the data, and disseminating information for: 


¢ The review of possible misuse and diversion of controlled substances 
prescribed and dispensed to a patient. 


¢ — Public educational and health research. 


° Law enforcement investigations. 


The Department of Labor and Industry (DLI) administers this board through its 
Business Services Division (division). The division provides administrative services 


such as equipment and supplies. The board consists of seven members appointed by 
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the governor and is responsible for oversight of pharmacists and pharmacies around 
the state. Services provided by the department to the board include correspondence 
with licensees, processing and issuing license applications, organizing meetings, 
and maintaining the MPDR. ‘The board has one full-time administrative specialist 


managing MPDR for the board. 


Any technical work related to MPDR is done by a state contracted vendor. The vendor 
is approved by the State Information Technology Services Division (SITSD) through 
a term contract. The board developed a work order under this term contract for the 
development, hosting, and maintenance of MPDR in 2011. The same vendor currently 
maintains the technical aspects of the registry and assists the board with technical 
queries such as problems with registration, data submissions, rejections, and errors. 
Since inception, the registry has added the following functionalities: 


¢ Prescription data sharing: Allows prescription drug data to be shared with 
other states that have prescription drug registries. 


¢ Pharmacy audit submission reports: Track pharmacies’ prescription drug 
report submissions. 


¢ Searching within registry: Allows users to search for patient information. 


¢  Prescribers and pharmacists can delegate search authority: These users can 
delegate their access to other medical professionals. 


¢ — Searches can be traced and tracked: Allows patients to see who has searched 
their record. 


¢ Law enforcement reports: Pursuant to a subpoena, report on prescription 
data provided to law enforcement. 


¢ — Statistical reports: Provide registration and use statistics. 


¢ — Error reports: Provide a list of errors in a pharmacy submitted report. 


MPDR Funding and Costs 


To date, the department has spent $1,888,645 on the registry, which includes initial 
planning, development, maintenance, and operational expenditures. According to 
the board, the table on page 3 displays funding, income, and expenses related to the 
registry since 2012. 


Table 1 
MPDR Funding and Costs 





Grant Funds MPDR Fees Total MPDR MPDR Expense 
Awarded Collected Income Total 


FY2012 $397,521 $0 $379,521 $276,199 
FY2013 $0 $63,480 $63,480 $280,955 
FY2014 $376,137 $96,600 $472,737 $215,670 
FY2015 $0 $23,151 $23,151 $114,442 
FY2016 $364,304 $193,040 $557,344 $306,392 
FY2017 $0 $247,260 $247,260 $428,013 
FY2018 $0 $220,410 $220,410 $266,973 
Totals $1,137,962 $843,941 $1,981,903 $1,888,645 


Source: Compiled by Legislative Audit Division from board records. 





Prior to MPDR implementation, the Montana Board of Crime Control (MBCC) 
was awarded a $398,000 grant for the creation of a prescription drug monitoring 
program to reduce the misuse and abuse of prescription drugs and aid investigations 
of pharmaceutical crime for Montana. The grant was awarded through the 
US Department of Justice and facilitated by the MBCC. Because the registry was 
allocated to the board, MBCC distributed the grant funds to the board. 


MPDR is also funded by prescriber and pharmacy license fees. All Montana licensees 
who are authorized to prescribe or dispense controlled substances pay an annual fee of 
$30. This fee is collected during the license renewal process and is paid by pharmacists, 
doctors, physician assistants, dentists, podiatrists, advanced practice registered nurses, 
optometrists, and naturopathic physicians. 


MPDR Data 


Controlled substances are drugs required to be dispensed only under a physician’s 
prescription. These drugs have high risk of addiction, abuse, and death, as well as 
potential for trafficking by illegal means. Controlled substances are classified under a 
schedule rating shown in Table 2 (see page 4), where Schedule I is illegal illicit drugs 
such as methamphetamine, heroin, and crack cocaine and Schedule V have low 
potential for abuse. Schedule I drugs are not included in the registry because they 
are illegal and should not be dispensed. Schedule II-V drugs dispensed to humans or 


animals are submitted to the registry. 


SB DP -01| 


Montana Legislative Audit Division 


Table 2 
Prescription Drug Schedule Ratings 








Schedule Description 





Illegal Drugs 





High potential for abuse, with use potentially leading to severe 
psychological or physical dependence 





Moderate to low potential for physical or psychological dependence; 
abuse potential is less than Schedule II but more than Schedule IV 


Low potential for abuse and low risk of dependence 





Lower potential for abuse than Schedule IV and consist of preparations 
containing limited quantities of certain narcotics, generally used for 
antidiarrheal, antitussive, and analgesic purposes 











Source: Compiled by Legislative Audit Division using information obtained from 
Montana Code Annotated, US Drug Enforcement Agency, and Center for 
Disease Control. 





Prescription drug registries like MPDR have been implemented in every state to track 
controlled substance prescriptions. The main purpose of MPDR is to collect data 
related to dispensed prescriptions for Schedules II-V. The data submitted to the registry 
contains patient personal health information (PHI), prescriber name, pharmacy 
information, and dispensing data. Dispensing data in MPDR includes date written, 
date filled, drug name, and quantity dispensed. Prescription data is considered PHI 
because it includes patient name, date of birth, contact information, and prescription 
health history. 


MPDR Submission Process and Use 


Pharmacies are responsible for submitting all controlled substances dispensed to 
patients. Figure 1 (see page 5) shows that once data is submitted by the pharmacy, 
prescription information is available to five types of stakeholders: the patient by request, 
patient providers through searches, board compliance investigators, public health and 
safety researchers, and law enforcement when investigating prescription drug related 
crimes via subpoena. Chapter 89 of the 2019 Legislative Session requires prescribers or 
their delegates to review a patient's records in the MPDR prior to prescribing certain 
substances; however, during audit fieldwork the law did not have this requirement. 


Figure 1 
MPDR Data Flow 





= After a pharmacy fills and dispenses a prescription... 


Pharmacy submits 
prescription data 


Physicians view Board of Pharmacy J 
registry data exports registry data Public health & 


14 & statistics safety research 


C) Patient request for 
Subpoenaed law personal health 
enforcement reports Board — data 


Investigations 


Source: Compiled by the Legislative Audit Division. 





All licensed pharmacies are required to report dispensed controlled substances within 
one business day. Data submission in to the registry can occur several ways: 


¢ Secure File Transfer Protocol Connection: Secure File Transfer Protocol 
is a nationally accepted method for electronic transmission of protected 
health information. This is an automated electronic connection between a 
pharmacy’s computer and the MPDR. This method can be used for uploading 
data files and for submitting Zero Reports. Zero Reports are submitted by 
pharmacies that have not dispensed any Schedule I-V controlled substances 
within a defined time frame. 


¢ Manually Upload Files: Pharmacies save all prescription drug information 
for reporting period into one file and log into the registry portal to upload 
the file. 


¢ Manual Data Entry: Pharmacies log into the registry portal and manually 
enter the individual information, like patient name, prescription number, 


and days of supply. 
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Many pharmacies choose to coordinate with software vendors to submit the reports 
discussed above. This is accomplished either directly with the pharmacy’s software 
vendor or through the pharmacy’s corporate office. Pharmacies also have the option 
to directly submit the data into the registry, although this typically occurs at locally 
owned pharmacies or hospital pharmacies. 


The Future of MPDR 


The board is currently developing a request for proposal (RFP) for a new registry. 
The board indicated there are many systems already being used by other states that 
could provide effective and sustainable functionality as prescription drug registries 
expand nationally. The board feels these commercial off-the-shelf systems will be 
more adaptable to changes than the current in-house developed registry. The division 
requested one-time HB 2 funding from the 2019 Legislature for development and 
implementation of the new registry. Consequently, new development or initiatives are 
on hold in the current system until a new vendor/registry is awarded through the RFP. 


Audit Scope 


While our audit focused on the board’s activities related to maintaining MPDR, we 
also reviewed the support activities from DLI Technology Services Division (TSD) 
and SITSD. This audit focused primarily on three areas: 

1. MPDR contract and project management by the board and the role of 


SITSD relative to the term contract. We examined 2012 to 2018 vendor 
payment data, services delivered, and contractual obligations. 


2. Security over information within the registry. Since MPDR data is hosted 
with the vendor, we looked at how the board assures security of the registry 
through coordination with SITSD and user management practices. This 
included reviewing user access and employment history of individuals with 
access to the registry. The time frame for this review was January through 
June 2017. 


3. Data integrity and utility. To determine the reliability and completeness 
of the registry, we reviewed and tested prescription drug registry data for 
2016-17. Testing also included identification of potential prescription drug 
misuse and abuse. 


Scope Limitation 


Audit standards require us to clearly specify any scope limitations within our report. 
Scope limitations include actions taken by the auditee that limit our ability to 
complete audit work punctually and rely on evidence provided. We experienced an 
eight-month delay in the department providing us access to MPDR, which contained 
all pertinent information needed to complete our audit. We initially received access to 
search individual patients through the online portal, however, our work required us to 


perform a mass data analysis. We requested this access in January 2018 and did not 
receive access until August 2018. The Legislative Audit Division (LAD) has legal access 
to personal health information through Title 5, Chapter 13, MCA, (Legislative Audit 
Act) and federal law (HIPAA). Despite this, the department denied access based on 
concerns over PHI contained in the registry, and whether LAD had legal authority to 
access this information. In August 2018, we signed a memorandum of understanding 
with the department agreeing to provide us access to MPDR and ensuring we would 
keep MPDR data secure. While the department is expected to perform due diligence 
in ensuring security of PHI, we believe delaying access for eight months was excessive 


and unnecessary. 


Delays of this nature impact our ability to effectively develop audit scope and 
methodologies, increases risks of data being changed or altered, and results in untimely 
completion of our audit work. The delay we experienced during the audit resulted 
in reporting our findings after the 2019 Legislative Session. If we had received 
the information in a timely manner, our audit report would have been ready for 
2019 Legislative Session. 


We also experienced constraints to our audit approach and analysis due to limited 
reliability of MPDR data. This included missing data, nonsensical data, and 


inconsistencies in data reporting. 


Audit Objectives 
We developed the following audit objectives related to MPDR: 


1. Determine if the Board of Pharmacy is managing the vendor contract by 
ensuring contractual obligations are met. 


2. Determine if the Board of Pharmacy is governing and defining security over 
personal health information. 


3. Determine if the Board of Pharmacy is ensuring protection of personal 
health information through user management procedures. 


4, Determine if the Board of Pharmacy is ensuring integrity of registry data 
and if that data is being used to effectively prevent misuse and diversion. 


Audit Methodologies 


Steps taken to answer our objectives included: 


¢ Analyzed MPDR work orders, change requests, and enhancements to compile 
contract payment data and identify service delivery dates and payment dates. 


¢ Compared Project Management Body of Knowledge national standards and 
state requirements to board’s project and contract management practices. 


SB DP -01| 





Montana Legislative Audit Division 


Interviewed MPDR board staff to review contract information, daily tasks 
and processes, and overall security over MPDR. 


Researched and reviewed vendor security reports, state security policy, and 
coordination of responsibilities over MPDR security. 


Interviewed Department of Labor and Industry and State Information 
Technology Services Division staff to determine security measures and 
procedures. 


Researched and reviewed federal HIPAA rules and guidelines and compared 
current board practices to HIPAA standards. 


Compared security industry standards to MPDR user management policy 
and procedure. 


Interviewed MPDR administrative staff, board staff, and registry stakeholders 
such as Department of Justice and Department of Public Health and Human 
Services staff to determine effectiveness and accuracy of MPDR data. 


Observed MPDR staff to verify manual work conducted. 


Researched, identified, developed, and tested MPDR data integrity tests 
including completeness of the data, accuracy of the data, and usefulness of 
the data. 


Researched and compiled best practices, industry standards, state rule, state 
law, and federal law to define misuse and diversion activity and thresholds. 


Conducted MPDR data analysis testing for potential abusive activity for 
calendar year 2016 through 2017. 


ompared board’s management over MPDR and use of registry data to best 
C d board g gistry 
practices and recommendations from similar states and national standards. 


Report Contents 


The remainder of this report includes additional background and details of our 


findings, conclusions, and recommendations. It is organized in the following manner: 


Sa 


Chapter II addresses management practices and resources allocated to the 
registry at the time of audit fieldwork. 


Chapter III discusses the registry’s security management of sensitive data and 
deficiencies in user access control. 


Chapter IV presents information regarding the reliability of prescription 
drug data. 


Chapter V discusses the effectiveness of the data in improving patient safety 
and addressing misuse and diversion. 


Chapter VI provides recommendations for ensuring the future of the registry 
is successful. 


Chapter II -The Board of Pharmacy Needs to 
Improve Montana Prescription Drug Registry 
Project and Contract Management Oversight 


Introduction 


Our first objective was to determine if the Board of Pharmacy (board) is actively 
managing the Montana Prescription Drug Registry (MPDR) vendor contract and 
ensuring obligations are met. Sound contract and project management ensures this 
happens by establishing consistent practices that govern system development and 
oversight of third party contracts. These management elements are important for 
ensuring project obligations are met, payments are executed properly, and MPDR is 
providing reliable information. Without these oversight elements, the board increases 
risks such as overpayment and untimely delivery. This leaves less time and resources 
to address the intent of the registry-improving patient safety by reducing the risk of 
overdose deaths and substance abuse and addiction. 


This chapter discusses our review of MPDR work orders, the board’s payments to 
the vendor, the delivered functionality of the registry, and contract and project 
management. Through this work we found the board did not follow established 
management procedures to ensure contractual obligations were met specific to MPDR. 
The following sections address actions the board should take to ensure compliance 
with the contract, state law, and state policy and to increase its capability to better 
manage the registry. 


Multiple Standards Exist to Ensure 
Funds Are Spent Effectively 


Due to the importance of mitigating information technology project and contract 
management risks, there are multiple policies, rules, and laws addressing quality 
assurance. The Department of Administration’s State Procurement Bureau (SPB) 
and State Information Technology Services Division (SITSD) provide guidelines and 
policies to ensure agencies are consistent in standards and practices. State procurement 
rules, state law, and policy document quality assurance reviews be part of agency 
contract management procedures and incorporate corrective actions of vendors who 
are not meeting contractual obligations. For example, vendors not delivering required 
services or meeting required timelines can have corrective actions taken, including 
cancellation of the contract. SITSD also requires alignment with project and contract 
management standards outlined in project management national standards. The 
contract should enforce obligations outlining assurance and monitoring activities on 
a scheduled basis. This not only provides assurances over meeting the requirements of 


SB DP -01| 


10 


Montana Legislative Audit Division 





the system, but also provides transparency to funding sources, registry stakeholders, 
and users. Without these quality assurance measures, neither party can identify poor 
vendor performance or contractual obligations. 


MPDR development was funded by a federal grant which provided an opportunity to 
enhance the state’s capacity to collect and analyze controlled substances data through 
a centralized database. The grant was facilitated through the Montana Board of 
Crime Control (MBCC). According to MBCC, the grant does not contain explicit 
language outlining payment terms such as requiring delivered and approved services 
prior to payment, but they indicated it must align with state procurement and contract 
management standards. 


Contract Management and MPDR Development 
Weaknesses Occurred Throughout System 
Implementation and Maintenance 


Our work reviewed the various contracts, obligations, and responsibilities involved in 
managing MPDR. This included the term contract managed by SITSD, system work 
orders developed by the board and Department of Labor and Industry (DLI), and how 
the responsibilities and relationship are structured between SITSD, DLI, the board, 
and SPB to oversee the system and manage the work order specific to MPDR. Through 
interviews and examining documentation, we found the board did not take an active 
role in addressing vendor issues nor did it assure the work order contained required 
language to achieve a successful implementation and future maintenance. The specific 
issues we identified within oversight and contract management are discussed in the 
following sections. 


Work Order Does Not Contain Required Language 


SPB created a Statement of Work (equivalent to work order) template in 2008 that 
contains detailed language regarding responsibilities, hours and rates, and completion 
criteria to support state agencies’ ability to manage contracts. However, after comparing 
this template to the MPDR work order, it was clear the SPB template was not used for 
MPDR. Because current board staff were not involved with registry development, they 
did not know the reason the template was not used for development of the registry. 


The MPDR work order outlined the deliverables needed to produce a functioning 
registry. However, it lacked specific language regarding board approvals, payment 
terms, and roles and responsibilities. We found no other plans or documents defining 
these required elements such as a responsibility document outlining vendor, security, 
and management responsibilities which is found in all system development projects. 


Without defined approval criteria and payment schedules, payments can be made 
without receiving working services, regardless if signature approvals are provided. 
So, while the board approves functionality and pays for it, there is no assurance the 
functionality is useable because what is useable is not clearly defined. 


Grant Funded Payments Were Made 
Prior to Deliverables Being Met 


We identified issues when reviewing the work order and attempting to correlate 
subsequent system requests for functionality and payments made to the vendor. We 
identified several MPDR functions that the board paid for prior to implementation 
and that continue to have limited functionality. Since the work order does not indicate 
the dollar amount for developing and implementing each area of MPDR functionality, 
we could not identify an exact amount of money paid prior to system features being 
usable. 


For instance, Compliance Audit Reports (CARs) are used by the board to monitor 
and ensure pharmacies are properly reporting prescribed medications. These reports 
identify pharmacies not reporting data or fixing data errors. These audits are important 
because the process identifies pharmacies that are not in compliance with reporting 
requirements. Pharmacy reporting was paid for as part of the original work order 
payment, but an estimate of time, resources, and cost specific to CAR functionality 
was not specified in the original work order. These reports are not functioning as 
expected and require extensive review, recalculation, and data verifications, which 
creates unnecessary time allocated to pharmacy compliance audits. These reports 
should be reliable enough to complete the process in a week or two; however, the last 
complete audit done in 2018 took three months. 


We identified other areas of MPDR functionality the board paid for but are unreliable 
or not working as intended. Subsequent enhancement and change requests indicate 
that a minimum of $60,520 was paid to the vendor for this functionality. Examples of 
contractual issues include: 


¢ — Law enforcement reports will time out and crash the system if there are large 
volumes of data within the reports, despite functionality being fully paid for. 
Law enforcement reports contain information related to potential criminal 
activity and are important for ensuring this activity is identified. Currently, 
the board must coordinate with the vendor to run reports. Although this 
work-around is providing the board what it needs, the board paid for this 
functionality to be in the system. 


¢ Data transfer to the Department of Public Health and Human Services 
(DPHHS) was delayed until May 2018. DPHHS uses this data to conduct 
research and provide findings to the state to address substance abuse in 
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Montana. ‘The board paid for the transfer in January 2018, but DPHHS did 
not receive the data until May 2018. This means the board paid for a service 
prior to the service being delivered. 


¢ Merge patient functionality is included in the original work order, however 
according to board officials this functionality was not further discussed with 
the vendor prior to being implemented. Now the functionality is unreliable 
and not used. Merge patient functionality is supposed to identify duplicate 
patients in the registry and allow the department to merge the patients’ 
records in the registry. This is an important functionality in addressing data 
integrity by ensuring a unique ID is assigned to individual patients. 


After discussing these issues with the board and MBCC in March 2018, MBCC 
extended the grant deadline to May 2018 to allow the board to complete the 
functionality. Because no acceptance criterion was established, the board approved all 
functionality funded by the grant by May 2018 even though certain functions, like 
CARs and merging patient records, are still unreliable. The board’s actions were not 
consistent with best practices and have led to paying for services prior to delivery of a 
useful, complete product. 


Delayed System Implementation and 

Missing Documentation Identified 

When reviewing work order and requests for additional functionality and 
enhancements, we also identified several instances when the required deliverable 
timelines were shifted and extended. Official documentation surrounding these 
extensions did not exist. After we discussed the timeline issues with board officials, 
they created enforced timelines for the vendor. 


There were 34 change and enhancement requests made by the board to the vendor 
between MPDR implementation in 2012 and March 2018. We identified several 
timeline discrepancies, missing documentation, and improper signatures. We also 
found it took two years to develop and implement stakeholder-requested user access. 


Contract management standards specifically require documentation and approvals for 
these types of changes and decisions. While examining the requests, we identified 
multiple requests with the following issues: 


¢ — Final acceptance documented on the request was prior to implementation of 
the specified functionality. 


¢ No documented approval from executives. 
¢ No expected delivery date established for the functionality. 
¢ Functionality that was implemented after expected delivery date. 


¢ No documentation of approvals or discussion for these timeline changes. 


The following table quantifies the issues we identified. 


Table 3 
System Request Analysis Results 








System Requests % of Total 


SEE Te in Error Reviewed 





Final Acceptance Before Implementation 82% 





No Documented Approval 50% 





No Documented Expected Delivery Date 50% 





Implemented After Expected Delivery Date 82% 

















No Documentation of Timeline Changes 97% 





Source: Compiled by the Legislative Audit Division. 





Project management standards describe clear and precise approval criteria outline stages 
of final approval. ‘They also describe criteria that should be met before the deliverable can 
be considered complete. Most of the documentation we reviewed omitted information, 
such as changes in timelines, and was missing signatures from vendor, board, and 
SITSD. Not only does the statewide term contract indicate all signatures must be 
present before moving to the next stage, but standards also emphasize documented 
approvals for each step and decision. 


Minimal Communication and Accountability 
Contributed to Problems 


In the term contract, specific language outlines the state’s responsibility for contract 
oversight. It indicates the state Chief Information Officer (CIO), or office of SITSD, 
may perform contract oversight activities. These include identification, analysis, 
resolution, and prevention of deficiencies that occur within performance of contract 
obligations. It is the board’s responsibility to request support from SITSD, but the 
board did not seek this assistance to help resolve issues related to MPDR development 
and functionality. The CIO and SITSD had limited involvement in overseeing the 
MPDR contract. However, if the board had coordinated with either the CIO or 
SITSD, staff could have assisted the board in resolving issues and ensuring payments 


to the vendor were not made until issues were resolved. 


As part of managing vendor performance, weekly progress meetings between the 
vendor and SITSD are required to occur. However, we found these meetings did not 
consistently take place. Work order priorities, including those for MPDR, are one topic 
specifically required by the term contract to be discussed during these meetings. These 
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discussions can also help address performance issues, but issues related to MPDR 
development and functionality were not brought forward. In addition to inconsistent 
meetings between SITSD and the vendor occurring, we found the board did not have 
presence at these meetings when they did occur. Without board presence in these 
meetings or communication with SITSD, issues related to MPDR were not addressed. 


We determined the MPDR term contract and subsequent work orders split contract 
management between SITSD and the board. Without defined responsibilities, it is 
not clear who is ultimately responsible for MPDR contract management activities, 
such as communication and oversight. SITSD indicated it relies on the board to 
communicate issues. Conversely, the board believes SITSD is responsible for managing 
contract obligations with the vendor. The unclear definition of responsibility and 


communication between roles resulted in poor contract and project management of 


MPDR. 


MPDR Requires Established Procedures 
and Responsibilities 


While oversight and monitoring are SITSD’s role within the term contract, the board is 
responsible for ensuring oversight and monitoring of MPDR. ‘The board is responsible 
for communicating progress and issues to SITSD, so the problems can be discussed 
and addressed by all parties. It is important the board coordinates with SITSD. The 
board is also responsible for ensuring the work order is managed according to contract 
and project management definitions. However, because responsibilities are not defined 
due to the missing language required in work order templates, none of the entities are 
held accountable to meet contractual obligations. 


Management over MPDR is important because it ensures the completeness of 
functionality as well as providing clear milestones and deliverables that align with 
payments and business requirements. With defined relationships and consistent 
management, both with the work orders and with the term contract, the following 
weaknesses with MPDR functionality and development can be mitigated: 

¢ Undefined payment terms and timelines. 


¢ Nonworking functionality. 


¢ = Compliance with contractual terms and risk mitigation, including contractual 
breaches, financial penalties, and receiving services that lack quality. 


¢ Increased time and effort to support and maintain the registry. 


The board is currently developing an RFP to implement a new prescription drug 
registry. Following formalized procedures for effective MPDR contract management 


and contract development are necessary to ensure the success of future contracts and 
projects. The department and board officials indicate they are now following contract 
management processes and procedures as well as using department resources. 


See 


RECOMMENDATION #1 





We recommend the Department of Labor and Industry regularly coordinate 
with the Board of Pharmacy to establish, follow, and enforce project and 
contract management procedures to include: 


A. Definitions for communication expectations and responsibilities, 
B. Management of project changes and enhancements, and 


C. Adherence to state procurement standards. 


TT 


Data Destruction Was Not Timely 


Data destruction of information contained within MPDR is specifically required 
by §37-7-1508, MCA. Statute requires sensitive personal health information (PHI) 
collected for the registry to be destroyed after three years. Destroying data older than 
three years old allows the board to lower its risk of large amounts of data being stolen. 


MPDR was required to have an automated data destruction function developed to 
comply with data destruction and retention laws. During our work, we found this 
function had not been implemented and was a year overdue from when it was supposed 
to be operational. This functionality was deprioritized by the board and the vendor to 
get other MPDR functions such as patient searches and online registration finished 
first. In January 2019, two years after the initial request for functionality, the board 
implemented the data destruction functionality. There is now an automated process 
to remove all data older than three years. According to the board, this process runs 
automatically at the end of every month. 


While this addresses MPDR data controlled by the board, DPHHS epidemiologists 
also hold a one-time copy of MPDR data to identify statistics and trends in drug 
prescriptions for educational and public research purposes. However, because data 
destruction was not implemented when data was shared, DPHHS received data from the 
inception of MPDR in 2012 until the end of 2018. A Memorandum of Understanding 
(MOU) was signed between DPHHS and the board to ensure protection and use of 
the data, but it does not contain a provision that PHI information will be destroyed or 
de-identified after three years. The MOU only states that data received will be archived 
by DPHHS. 
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While DPHHS needs large data sets to analyze long-term trends, sending identifiable 
patient data does not align with MPDR data destruction and retention statute. It 
increases the impact of a data breach if one were to occur within DPHHS. The board 
needs to work with DPHHS to destroy or de-identify data over three years old. Having 
a data destruction and retention plan will ensure timely destruction in accordance 
with statute. A thorough plan would include any shared data with authorized entities 
and would minimize the effect of any potential security breaches. 


a 


RECOMMENDATION #2 





We recommend the Department of Labor and Industry and the Board of 
Pharmacy: 


A. Work with Department of Public Health and Human Services to 
immediately and permanently destroy or de-identify prescription drug 
data older than three years. 


B. Develop a data destruction and retention plan to ensure destruction of 
shared prescription drug data. 


ee 


Chapter III - Security Governance 
and User Management 


Introduction 


The Montana Prescription Drug Registry (MPDR) contains personal health 
information (PHI) such as patient names, birthdates, and prescribed medication, 
which is classified as confidential information. If this data is not protected, the risk 
of personal medical records and personal health information (PHI) being stolen or 
shared with unauthorized individuals increases. 


Our second objective was to determine if the MPDR has efficient governance over 
system security to prevent unauthorized access to PHI. This chapter discusses the 
current security measures the Board of Pharmacy (board) is taking to protect PHI 
through assuring security of the system and managing user access to system data. 
It explains our review of current security procedures relative to those required by 
federal law and state policy. We address the need for the board to improve security by 
complying with these laws and establishing more comprehensive user management 
procedures. 


MPDR Security Requirements 


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the 
federal law designed to provide privacy standards to protect patients’ medical records 
and other health information. HIPAA laws exist to ensure private health information 
is protected, including prescription drug information. Security rules exist within 
HIPAA to ensure the confidentiality, integrity, and security over PHI. Similar to a 
covered entity under HIPAA, the board’s management of MPDR must be consistent 
with privacy provisions. These rules include standards that relate to PHI. The rules 
encompass information that is created, received, used, or maintained, and require the 
following safeguards: 
¢ Administrative: This includes administrative actions (referred to as 
safeguards), and policies and procedures to manage selection, development, 
implementation, and maintenance of security measures to protect PHI. One 


important piece of administrative safeguards is a security plan that includes 
conducting comprehensive risk assessments. 


¢ — Physical: Physical measures, policies, and procedures protect the board’s 
PHI information systems and related buildings and equipment from natural 
and environmental hazards, and unauthorized intrusion. Examples of these 
measures address facility and work station security. 


¢ Technical: These safeguards are directed at technology and the policy and 
procedures for its use that protect PHI and control access to it. Examples of 
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technical safeguards include ensuring data are not improperly altered and 
access to the data is controlled. 


Along with federal laws, security standards required for all systems within Montana, 
no matter what data are involved, also need to be met. This includes more detailed 
requirements, specifically in user management, that were used for our audit. 


Current Security Assurances Are Limited 


Because MPDR data is hosted by the vendor, it was agreed the board would rely on the 
vendor's security measures. As part of the assurance over the security of the vendor’s 
data center and services, the vendor provides yearly reports to the State Information 
Technology Services Division (SITSD). SITSD reviews these reports as part of 
managing the term contract with this vendor. According to SITSD, they discuss 
various reports monthly with the vendor to address security. We reviewed two of these 
reports in-depth and identified that MPDR is not within the scope of these reports. 
We also determined that HIPAA security safeguards were not assured through the 
other security reports provided to SITSD at the time of our review. Further discussion 
with SITSD indicated that third-party assurances were going to change in 2018 to 
provide HIPAA assurances. 


Requiring the vendor to provide these reports gives assurance over their management 
of the registry; however, the department and board need to take additional steps to 
comply with HIPAA security rules. Through comparison of best practices and HIPAA 
laws to board procedures, we identified administrative and technical safeguards such 
as risk analysis and user management procedures that were not being conducted. By 
implementing these procedures, the board will be able to establish necessary security 
over PHI as well as update security protocols as risks evolve. For example, the use of 
multi-factor authentication to view or access PHI is not required by HIPAA. However, 
guidelines within HIPAA security rules provide further specifications like this for 
consideration during risk analysis. If the risk analysis points out vulnerabilities in data 


transfer, it recommends implementing multi-factor authentication. 


Security Governance and Responsibility Is Undefined 


The Board of Pharmacy (board), the Department of Labor and Industry (DLI), and 
SITSD understand the importance of security over the vendor and the system; however, 
MPDR is unique in that it has multiple entities with a role in securing PHI. Because of 
this, thorough understanding of how this structure provides all the necessary security 
and who is responsible for various security measures is paramount. The term contract 
and MPDR statement of work do not contain language regarding the measures taken 
to protect PHI. We did not identify clear documentation of system security governance, 
details for security responsibilities, or established procedures to assure security. This 


leaves each entity managing its own security measures with limited understanding of 

how it all coordinates to ensure HIPAA and state policy compliance: 
¢ DLIs Technical Services Division (TSD) manages security services such as 
security awareness and training for board staff with general policies used 


for all DLI systems. However, those policies and procedures do not address 
HIPAA-required procedures needed for PHI within MPDR. 


¢ The board manages administrative procedures to ensure security like user 
access and data sharing. It does not have complete system security policies 
or procedures that meet administrative safeguards required by HIPAA and 
state policy. 


¢ SITSD manages vendor level security through SOC reports, but these 
reports do not provide complete HIPAA assurance. 


Responsibilities over the governance of the security of MPDR include ensuring 
security services are provided for protection over PHI and developing a security plan. 
A security plan specific to MPDR would define these security measures and how they 
are coordinated, identify gaps between individual security procedures, and clearly state 
who is responsible for each security measure. 


HIPAA Security Rule Is Not Fully Implemented 
Due to Incomplete Security Management 


Without clear responsibilities and knowledge of security standards, the risk for 
noncompliance and unauthorized access to data is increased. We found security 
procedures like those required by HIPAA have not been prioritized due to a lack 
of security planning and governance related to MPDR. This includes developing 
clear lines of responsibilities between the board, DLI, and SITSD, and performing 
ongoing risk assessments. Governance would ensure that all security measures work in 
coordination to meet all applicable state and federal laws. The board needs to establish 
a security plan and security governance specific to MPDR, so any unique situations 
can be addressed to reduce these risks. 


RECOMMENDATION #3 





We recommend the Department of Labor and Industry work with the Board of 
Pharmacy to develop a governance structure and implement a security plan 
for the Montana Prescription Drug Registry that: 


A. Defines the security responsibilities, 

B. Requires annual risk assessments, 

C. Mitigates significant security risks as identified, and 
D 


Ensures compliance with HIPAA security rules. 
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User Management Is Crucial for Securing 


Personal Health Information 


Technical safeguards are required through HIPAA security rules and are important 
in ensuring PHI is not accessed by unauthorized individuals. One of those safeguards 
is user management. User management controls what type of access system users 
have and limits what data they can see. It also is a process for consistently managing 
users by thorough reviews of system access and activity. We found the board needs to 
improve user management practices to meet both HIPAA technical safeguards and 


user management best practices. 


MPDR User Access Structure 


To gain access to MPDR, the user needs to register with the board. Various user types 
exist within the system. These include: 


¢ Registered Users: Registered users are primarily medical licensees with the 
authority to prescribe medications in Montana. Self-study training courses 
are available to registered users regarding system protocols. After reviewing 
training documents, users register with the board, which allows them to 
search the database. Registration requires name, date of birth, medical license 
information, and contact information. Once registered, users are required 
to create a secure account to access MPDR on the state network. During 
fieldwork in April 2018, the board reported MPDR had 3,494 registered 


users. 


¢ Delegated Users: Registered users also have the option to delegate their 
authority to view patient information within MPDR. Delegates can be a 
variety of users, such as nurses or pharmacy assistants; however, they are not 
required to be licensed healthcare workers. During fieldwork in June 2018, 
the board reported 1,211 active delegates. 


¢ Administrative Users: These users are both board staff and vendor staff. 
Vendor staff must sign and return an agreement outlining acceptable use of 
the system prior to obtaining access. The vendor primarily accesses MPDR 
for customer service assistance, such as help desk tickets, verifying key 
functionalities are working, and troubleshooting submissions. Administrative 
users can search patient and provider histories, review supervisor/delegate 
search history, and establish users within the system. During fieldwork in 
May 2018, the board reported eight administrative and other users, such as 
representatives from Department of Public Health and Human Services. 


User Management Procedures Need Improvement 


The board established procedures for granting access to MPDR. This includes 
approval of initial access for only registered users and controlling their access through 
systematic verification of license status when at log-in, and by monitoring complaints 
of inappropriate use. If the board determines user access should be revoked due 


to a complaint, such as a violation in prescribing laws, the board provides written 
notification to the user’s supervising board explaining why access should be revoked. 
It is up to the supervising board to decide if access should be revoked. We did not find 
any instances or complaints being received and access being revoked. It is unclear what 
constitutes a complaint serious enough to revoke access. 


Through interviews with board staff and review of these user management policies and 
procedures, we identified multiple issues that increase the risk of unauthorized access. 


These include: 


¢ — Reviews of administrative and delegated users are not conducted consistently, 
which poses a significant MPDR security risk. Currently, the board relies on 
the contracted vendor to self-report user access changes. To manage delegated 
access, the system establishes a required review date when registered users 
will be reminded to review their delegates’ access, or it will be terminated. 
However, registered users can change these review dates, which bypasses the 
control. Without having an independent scheduled review of all users, the 
registry data could be accessed by unauthorized users. State security policy 
and TSD policy requires annual reviews be conducted to mitigate these 
types of risks for all systems. 


¢ Board MPDR access policy requires detailed audit documentation outlining 
vendor administrative staff use, but we found this documentation does not 
exist. Vendor access needs significant control because it not only allows access 
to view patient data, but also view and modify all data and system code on 
servers hosted with the vendor. To prevent unauthorized activity, the board 
requires the vendor to sign an agreement, but it does not enforce security 
by monitoring and reviewing vendor access consistently. Access and activity 
reviews need to include vendor staff and documentation of these reviews 
should be maintained. 


¢ Board staff are responsible for reviewing all MPDR users, including 
administrative users who have access to view all patient data due to the 
various statewide customer support needs, data quality procedures, and 
pharmacy audits. However, we found that in practice, responsibility for 
reviewing all MPDR users is left to one board staff member. This person 
also has administrative access, so a conflict of interest exists because they 
are also responsible for monitoring their own access. According to industry 
standards, access control prevents users from having all the authority or 
information access, especially without review by another person to ensure 
this access is not misused. 


¢ User access termination controls do not cover all users to ensure access is 
removed on a timely basis. Delegated users are not controlled by administrative 
staff but are self-governed by associated registered users. The board relies 
on a registered user’s secure network account to expire for termination of 
delegated user access to MPDR, particularly if the registered user does 
not actively manage delegated user access. After 24 months of inactivity 
the secure network account is deactivated, but this does not deactivate the 
MPDR account. Consequently, this allows for two years of unauthorized 
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access to MPDR information. Relying on secure accounts to deactivate also 
does not address delegated users changing supervising providers. It is the 
previous manager’s responsibility to remove access. Therefore, it is likely a 
delegate could be listed under two managers if the former manager did not 
terminate their relationship. In this instance, the user would still be active but 
would have access to specific patient information under the former manager 
that is no longer necessary. 


Self-Governing Access Does Not Meet Best Practices 


Although registered users are responsible to self-govern, the board is responsible for 
ensuring user management is occurring, whether it be by board staff or supervising 
providers. Board staff, as “system owners”, are accountable for making sure this 
information is protected and accessed by authorized individuals. Multiple key controls 
in user management criteria exist and it is the board’s responsibility to ensure they are 
implemented to enforce MPDR security, manage conflicts of interest, and monitor 
user activity. 


If users can access the system after terminating employment, the potential for illegal 
access to personal health information increases. ‘Therefore, ongoing monitoring of user 
activity and ensuring access is appropriate is crucial to protecting MPDR data. 


Current Access Controls Allow Unauthorized Access 


Since the board does not conduct user reviews, we reviewed a sample of active 
delegated MPDR users from various supervising provider license types, such as medical 
doctors who had delegated search authority to a nurse or technician. We compared 
unemployment insurance payroll records of delegated user employers with supervising 
provider employers to determine if the delegate user had been employed at the same 
organization as their supervisor. If a supervising provider was managing delegate 
access, the delegated user’s employer would match in the payroll records maintained 
by the department. 


We reviewed 56 delegate relationships that were active during the first quarter of 2018. 
These relationships related to seven different types of supervising providers: physician 
assistants, physicians, pharmacists, advanced nurse practitioners, dentists, registered 
nurses, and podiatrists. The delegated users for these supervising providers are generally 
office assistants, nurses, and technicians. Our audit work identified 24 delegates who 
were not employed under the same facility as their managing provider during the time 
their delegate relationship was active in the system. Board officials indicated there are 
instances where a delegate may not work in the same facility as the supervisor. Because 


of this, these results may be valid exceptions. However, this test still provides insight 
to management of delegate relationships. These results are shown in the figure below. 


Figure 2 


Delegate User Employment Verification: Questionable Delegate Access by 
Associated User License Type 


= Questionable Access Verified Access 


Physician Assistant 


Physiciains 


Advanced Nurse 
Practitioner 


Regsiteres Nurses 
Pharmacists 
Podiatrists 
Dentists 


Source: Compiled by the Legislative Audit Division using Montana Prescription Drug 
Registry and unemployment insurance data. 


Because we could not correlate employment for almost half of the delegate relationships 
reviewed, there is a probability that supervising providers are not managing delegate 
access as required. This increases the risk of unauthorized access, and is compounded 
by the reliance on an activity-based termination. If these users no longer need access 
to MPDR but the delegate relationship still allows them access, they may never be 
terminated if they log into the system through the secure network account to remain 
active. This control structure allows for an unauthorized user to have permanent 
access to PHI if the supervising provider has extended the user’s access review date far 
enough. The relationship status between the delegate and supervising provider will not 
limit this access either if the supervising providers licensing status is inactive and he/ 


she is blocked from using MPDR. 


Board Has Not Prioritized User Management 


According to board officials, it trusted MPDR was working as needed with the 
current automated registration processes, which automatically verifies the license of a 
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supervising provider in the licensing database. Consequently, board officials placed a 
low priority on conducting and monitoring activity. Even though the job description 
of the board staff member requires these reviews to occur, other job duties have taken 
priority. 


‘The board has relied on MPDR’s automatic registration process to identify and remove 
unauthorized users when their license expires. However, this automated process only 
captures those with licenses, not delegates or administrative users. The board does 
not have an alternative process to monitor user access, so it is also not ensuring the 
removal process is working. Periodic manual reviews should be conducted to verify 
the automated process is terminating unnecessary user access as needed. It should 
also be conducted to ensure delegated users and administrative users are removed as 
needed. TSD policy requires reviews be conducted every six months. The board and 
DLI should develop a formal process to monitor and review user access and activity. 


Ae 


RECOMMENDATION #4 


We recommend the Department of Labor and Industry coordinate with the 
Board of Pharmacy to: 


A. Establish a process to enforce review of Montana Prescription Drug 
Registry delegate users. 


B. Develop and implement procedures to review administrative and vendor 
user activity. 


To 


Chapter IV —Montana Prescription 
Drug Registry Data Reliability 


Introduction 


Data integrity is the assurance of the accuracy and consistency of data and is crucial 
for the Montana Prescription Drug Registry (MPDR) to ensure patient safety and 
to monitor prescription drug use. This chapter addresses our third audit objective to 
determine if the Board of Pharmacy (board) ensures the integrity of registry data. Our 
work identified several concerns related to the reliability and accuracy of MPDR data. 
This included missing data, nonsensical data, and inconsistencies in data reporting. 
This chapter discusses these issues in more detail and presents recommendations to 
address weaknesses we identified. 


Reliable and Accurate Data Is 
Important for Several Reasons 


MPDR having reliable and accurate data is important for several reasons, the most 
important being that accurate and reliable data helps ensure patient safety by ensuring 
prescription drugs are appropriately dispensed. There are also other reasons why data 
reliability is important for MPDR. These include: 
¢ Data sharing with other states and agencies: Other state agencies use the 
data to track prescription drug use and develop initiatives to improve the 
safety of Montana citizens. Using the data enables other agencies to address 
prescription drug use problems around the state, such as the Department of 
Justice using the data in criminal investigations. The ability to share this data 
across state lines provides a more complete and accurate history if patients see 
doctors in multiple states. 


¢ Identification of improper prescribing and dispensing of prescription 
drugs: Evidence of misuse and diversion includes suspicious patient activity 
(doctor shopping, pharmacy shopping) and suspicious prescriber activity (pill 
mills, prescribing dangerous combinations, violating prescribing laws). These 
instances can be found and addressed if the data is accurate and complete. 


We reviewed current systematic and manual processes to verify MPDR data integrity. 
We obtained all registry data for calendar year 2016 and 2017 and examined 3.9 million 
prescription drug records. This included testing various data fields to evaluate the 
accuracy and reliability of MPDR prescription data, patient data, drug data, and 
pharmacy data. 


Obtaining prescription drug data through MPDR is an important and significant step 
to help identify possible illegal prescribing and dispensing of prescription drugs to help 
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the state respond to widespread opioid use. However, we noted several improvements 
are needed to increase MPDR data reliability and how registry information can be 
used to address potential misuse and diversion of prescription drugs. According to 
§37-7-1502, MCA, the intent of the registry is to increase patient safety by reducing 
their risk of overdose and illegal use. Based on the weaknesses we identified with 
MPDR data, the registry has limited effectiveness in fulfilling this need. 


Some Controls Exist for Correcting Errors 


Pharmacies that dispense controlled substances are required by law and rule to submit 
dispensing information of prescription drug orders to the board. A pharmacy can 
submit and modify information within MPDR and can only modify the information 
it submitted. Pharmacies can also remove prescriptions that it previously submitted 


from MPDR. 


Some controls exist within MPDR to ensure the consistency of data submitted by 
pharmacies and entered into the registry, as required by §37-7-1503, MCA. There 
are simple checks and verifications that automatically occur when pharmacies or the 
pharmacy corporate office submit data. ‘These verifications occur both for data that is 
manually entered and uploaded through manual uploads and for direct connections. 
The following describes these verifications intended to help improve accuracy of data 
that pharmacies enter into the registry. 


File and/or Record Rejection: An uploaded file or record will not be loaded into 
MPDR if it does not meet the American Society for Automation in Pharmacy (ASAP) 
4.1 requirements or layout. ASAP 4.1 is the national set of data standards that states 
must follow to ensure prescription drug information is consistent between all states. 
These standards ensure the minimum data fields are consistently formatted and 
included in reporting, so data can be easily shared between states. If a file or record 
is rejected, the format needs to be corrected, and the entire file or record must be 
resubmitted to the MPDR by close of the next business day. When a file or record is 
rejected, the data is not stored in MPDR until the pharmacy resubmits the information 
in the correct format. 


Error Messages Requiring Corrections: An error message is sent to the submitter 
when a prescription is missing a required data element, such as patient name, within a 
prescription record. Error messages indicate the data was not loaded into the registry. 
A prescription record containing an error must be corrected and resubmitted to the 
MPDR by close of the next business day. During audit work, rule required submissions 
and corrections within eight days. 


Warnings Indicate Data Review: A warning indicates incorrect data was submitted in 
a field not required in ASAP 4.1, such as an indicator for partial fill of a prescription. 
A prescription that contains a warning is still loaded into MPDR. The warning 
recommends correction by the submitter, but does not stop data from being submitted 
to the registry permanently because the submitted data is not considered a requirement 


for ASAP 4.1 standards. 


Data Control Enforcement Should Be 
Conducted Regularly by the Board 


While these controls are in place, it is still up to a pharmacy to correct data errors. There 
is always the potential that pharmacies may not correct and resubmit prescriptions that 
were rejected by or had warning messages from MPDR. When this happens, data 
is missing from the registry and it reduces the reliability of information within the 
registry. The board has established procedures to hold the pharmacist in charge or 
pharmacy license-holder accountable through letters and phone calls for being out of 


compliance with reporting requirements. 


Compliance Audit Reports (CAR) produced by MPDR are intended to help the 
board audit pharmacy compliance by identifying pharmacies that have not registered 
or submitted data. CARs also identify those pharmacies that have not addressed 
rejections, errors, and warnings. CARs are the board’s only means to review and audit 
the accuracy of data maintained within the registry. These reports are part of MPDR’s 
incomplete functionality and are not functioning as needed by the board. So, although 
these reports are available to the board, the reports are not reviewed on a regular basis 
nor can they be relied on. 


Board Can Improve MPDR Data Integrity 


The board places significant reliance on CARs to review and audit MPDR data. 
Because they are not functioning correctly within MPDR, the board cannot provide 
complete assurance over the accuracy and completeness of the data. The current 
systematic controls and CARs do not identify data that is nonsensical or identify if 
pharmacies are entering information as required by rule; the controls only compare the 
data to the ASAP 4.1 format. Administrative Rules require additional data elements 
not included in ASAP 4.1 format. The format used is still accepted as a national 
standard, however it is not the most current standard available. We also found the 
board was not conducting regular reviews of pharmacy-reported errors and warnings. 
During our audit work, we noted the board had not reviewed the errors and warnings 
for 14 months. Delays like these in reviewing information do not hold pharmacies 
accountable nor ensure the integrity of MPDR data. 
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IT industry standards refer to creating, defining, and implementing procedures to 
ensure the integrity and consistency of all information in databases. Organizations 
need to consider the trustworthiness of data regarding data accuracy and integrity. 
Without this review, there is a risk that data the prescribers are using to verify their 
patients’ prescriptions are unreliable. 


We analyzed two years (2016 and 2017) of prescription data to identify the impact 
and extent of not reviewing data for completeness and accuracy. To test completeness, 
we compared data to reporting requirements established by rule and best practice. To 
verify accuracy of the data, we developed several data calculations and then reviewed 
the fields any reasonable person would question. Our review of MPDR data identified 
records that were permanently submitted with either incomplete or invalid data. The 
results of this review are discussed in the following sections: 


Patient Date of Birth: We reviewed MPDR data for birthdates that appeared 
unreasonable. We identified several instances where birthdates within the registry were 
incorrect. For example, our review found people born prior to 1900, and people born 
after the date MPDR received the data. 


We identified over 1,000 dispensing records that had a questionable patient date of 
birth in MPDR. These included: 


¢ Four records had dates listed after we received the data (for example, 
01/01/2020). 


¢ 231 invalid dates (01/01/0001). 
¢ 50 unlikely birthdates which occurred prior to 01/01/1900. 


¢ Remaining records contained birthdates prior to 1912. 


The accuracy of date of birth in MPDR is important because it is used to help identify 
patients along with first and last name. If the date of birth is wrong, a patient could be 
duplicated in the database or unidentified through patient searches. 


Prescription Dates and Refills: Section 50-32-208, MCA, outlines prescription 
filling and refilling requirements for prescribing controlled substances. Our audit 
analyzed data within MPDR to determine if prescriptions were filled according to 
these requirements outlined in statute. We developed several date calculations and 
our analysis of the results found potential statute violations. These tests identified 
several issues concerning prescriptions written by prescribers and prescriptions refilled 
by pharmacies. Figure 3 (see page 30) provides specific results of these tests outlined 
below: 


Emergency Prescriptions: The date the prescription was written was compared to 
the date it was filled to identify how long the prescription was being used and if the 
date filled was after the date it was written. In most cases this indicates an emergency 
prescription, allowed by law, that must be promptly reduced to writing. In total, we 
identified 147 of these instances. Further review of how many days were between 
the date filled and date written showed that half of these would not be considered 
“promptly” reduced to writing. Thirty-four of the prescriptions were written over 
100 days past the date they were filled. 


Aged Prescriptions: The age of a prescription was tested by calculating the time 
between the dates written and filled. This identifies how long ago a prescription was 
written and is still being used. Prescriptions should not be used for more than one year 
without being renewed by a prescriber, so we looked for prescriptions written prior to 
January 1, 2015. We identified 145 prescriptions being filled 1 to 2 years after they 
were written, and another 59 prescription fills ranging from 2 to 116 years after they 
were written. Further comparison to patient information indicate that the date written 
field made more sense as a birthdate. 


Refills: Refill guidelines vary by the schedule of the drug. Schedule II drugs that 
are more addictive are not allowed to be refilled without renewal or review by the 
prescriber. Schedule II and IV drugs, which are moderately addictive, should not be 
refilled more than five times or after 6 months. While a refill number is required to 
be reported by all pharmacies, we had to create tests to count the number of times a 
prescription was refilled. This is because the refill number, while still a number in the 
registry, was not always accurate. Some prescriptions listed the first fill as refill 1 and 
some started at 0. This is an example of why it is important to verify sensical data, 
not just format. We identified over 20,000 Schedule II prescriptions that were issued 
refills, and almost 2,000 Schedule IH-IV drugs with greater than 5 refills. 


Schedule III-IV Aged Prescriptions: As noted above, Schedule HI and IV drug 
prescriptions expire after six months and should not be filled after that. We compared 
the dates these prescriptions were written to the dates that were filled and found 
362 Schedule HI-IV prescriptions that were refilled after 6-month expiration. 


SB DP -01| 


29 


30 Montana Legislative Audit Division 








Figure 3 
Potential Issues Related to Prescription Dates and Refills 





Emergency Prescriptions: If controlled substances are dispensed without formal 
prescription, they must be promptly reduced to writing. 
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Source: Compiled by the Legislative Audit Division through MPDR data analysis. 





‘The board does not conduct reviews or validations of incoming prescription data. It is 
unclear if our analysis results indicate suspicious prescription drug activity, if it is data 
entry errors, or a combination of both. In either case, this type of analysis shows the 


board should conduct analytical testing and reviews so it can follow up on questionable 
data with submitting pharmacies. This would help improve MPDR data and help the 
board identify and investigate suspicious activity related to prescribing and dispensing 
prescription drugs. Investigations can result in a referral to Department of Justice 
(DOJ) and/or disciplinary action against a pharmacy. 


Further Data Validations and Review Are 
Needed to Increase MPDR Usability 


We identified more than 23,000 questionable records within MPDR related to 
birthdates and prescriptions filled by pharmacies. This is a small percentage of the 
millions of prescription-related data in the registry. Regardless, these situations could 
be potential illegal dispensing of prescription medications and should have been 
investigated by the board. 


We discussed these issues with the board and they indicated they place reliance on 
pharmacies to submit correct and timely data. For instance, the board claims the 
pharmacy systems prevent refills of Schedule I drugs. Partial fill of these drugs occurs 
often, which would create a situation where the prescription is in the registry multiple 
times with different fill dates. When this occurs, the pharmacy should be using the 
partial fill indicator within the registry; otherwise, these would appear to be complete 
refills. Further review of our results showed instances where the partial fill indicator in 
the system was not checked, indicating the patient received the full prescription each 
fill. However, there is blank data in the partial fill indicator for many prescriptions 
because pharmacies are not required to provide this information. So, this field is 
unreliable in determining if these are data entry errors or evidence of criminal activity. 
The board acknowledged MPDR does not contain an accurate reflection of partial 
and complete dispensing of a prescription. Since the board neither reviews this data 
nor discusses these issues with pharmacies, the extent and actual cause for these data 
patterns observed in our analysis are unknown. 


The board needs to improve data quality assurance procedures to ensure the integrity 
of MPDR data. While the board cannot change data, they can develop stronger 
validations for data entry within the system. Options for addressing additional fields 
including date written, date of birth, and date filled include: 


¢ Validating data within the registry at data submission and through 
compliance reviews so nonsensical data can be identified. 


¢ Using date and refill validations to determine if pharmacies are reporting 
incorrect information or are in noncompliance with state law. 
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RECOMMENDATION #5 





We recommend the Department of Labor and Industry work with the Board 
of Pharmacy to implement formal procedures to ensure validation and quality 
assurance of Montana Prescription Drug Registry data. 


TL 


Inconsistent and Out-of-Date Reporting Requirements 


The board follows the ASAP 4.1 reporting standards. Pharmacies use these standards 
nationwide for various sorts of reporting, including prescription drug monitoring 
reporting. ASAP standards are used by every state with a prescription-monitoring 
program. However, current standards are now at version 4.2a, which includes additional 
reporting capabilities and data refinement. For example, they include treatment type 
and further clarification on quantity dispensed and prescribed, which helps identify 
what is reported in the partial fill indicator field. These additional data fields and 
capabilities would allow the DLI to refine misuse and diversion analysis as well as be 
able to further rely on the data to improve patient safety. 


Administrative Rule also requires data elements be reported in MPDR in addition to 
the ASAP requirements. ‘These include: 


¢ = Pharmacy contact information 
¢ — Patient gender information 


° Prescriber contact information 


Missing Data Fields Diminish the Usability 
and Effectiveness of MPDR 


Due to the importance of following national reporting standards and having consistent 
data reporting requirements, we compared the fields required by national standards 
and administrative rule. This comparison was done to identify what data was being 
populated and reported in MPDR. This provides an understanding of how complete 
MPDR data are and how reliable the system is for prescribers, pharmacies, and the 
board. 


We found 334,000 records of a total 3.9 million (9 percent) were missing at least 
eight administrative rule-required data fields. One primary field missing was complete 
pharmacy contact information. Pharmacies do not have a unique ID by location 
and only report owner name. For example, if Pharmacy A changed owners, it would 


become Pharmacy B and be assigned a new ID. If pharmacy addresses were required, a 
potential investigation would be able to identify patients that are attempting to get the 
same prescription filled at several pharmacies, a practice known as pharmacy shopping. 
Addresses would be able to capture how many different pharmacy locations a patient 
visited. 


We also identified 437,000 dispensing records (11 percent) missing a gender code as 
required by ASAP 4.2a. Missing gender codes limits the board’s ability to identify 
duplicate patients. Identifying duplicate patients allows prescribers to conduct more 
reliable searches as well as to further address suspicious activity. 


Board Needs to Update Reporting Requirements 


In 2013, Senate Joint Resolution Study 20 was approved to study ways to reduce 
prescription drug abuse. Within that study, several recommendations were made 
to improve MPDR and to address prescription drug abuse in Montana. One of the 
recommendations was to improve shared data by aligning with ASAP 4.2 standards. 
According to the board, it wanted to focus on getting the basic functionality 
implemented for stakeholders, so updating the system to align with national standards 
was not a priority. ASAP 4.1 continues to be a valid national standard still followed by 


some states. 


Using the most recent ASAP standards allow the board to gather necessary information 
to make the registry more effective, reliable, and useful for the medical community. 
Additional information required by administrative rule provides further assistance in 
identifying unique patients, prescribers, and pharmacies. The ability to identify unique 
individuals is crucial when trying to keep complete records of patient prescription 
history. Using updated reporting requirements also allows the board to better 
communicate with other states and provide more data, thereby increasing protection 
for patients. Once consistent and correct data is gathered, the foundation is established 
to better analyze data for addressing misuse and diversion. This also provides the board 
the ability to educate pharmacies on submitting data and dispensing laws. 


DO 


RECOMMENDATION #6 


We recommend the Department of Labor and Industry and the Board 
of Pharmacy follow administrative rule by requiring all data elements in 
pharmacy reporting be included in the Montana Prescription Drug Registry. 
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Chapter V - Activities to Identify Misuse 
and Diversion of Prescription Drugs 


Introduction 


The Board of Pharmacy (board) does not currently conduct reviews and analysis of 
reported data to alert pharmacies or prescribers of potential issues. Instead, it relies 
on medical professionals to make their own conclusions about a patient’s prescription 
history when reviewing Montana Prescription Drug Registry (MPDR) data. Not 
providing evidence of misuse and diversion, the intentional transfer of a controlled 
substance to use other as directed, puts patients at risk and increases the potential 
for prescription drug abuse. Misuse of prescription drugs is defined as using the 
drug for purposes other than what it was prescribed for. By proactively identifying 
and addressing misuse and diversion, issues can more readily be resolved before they 
become a public health concern. We found potential cases where prescription drugs 
were dispensed inappropriately, such as filling prescriptions past approved refill dates 
and prescriptions filled by multiple pharmacies. 


By not identifying misuse and diversion, the board is at a disadvantage for receiving 
federal grant funding. Best practices indicate agencies will be given priority 
consideration for grant funding if they are proactively addressing misuse and diversion. 
For example, according to the US Department of Justice, the Montana Board of Crime 
Control (MBCC) was denied federal grant funding in 2018 because the application 
did not include specific information about how the registry could enhance the state’s 
capacity to respond to the substance abuse crisis. Based on previous years’ awarded 
amounts, the board could have been awarded up to $400,000 in federal grant funding 
from MBCC. 


Our fourth audit objective was to determine if MPDR data can effectively identify 
misuse and diversion. Misuse and diversion has several definitions and can include 
many different activities in healthcare. Some states describe it as fraudulent activity, 
whereas some states identify it as questionable or suspicious activity. This chapter 
discusses our work and recommendation related to this area. 


Criteria to Identify Misuse and 


Diversion of Prescription Drugs 


Section 37-7-1502, MCA, does not provide a specific definition for misuse and 
diversion; however, administrative rule states it can be defined as patients visiting 
four or more prescribers in a 60-day period or four or more pharmacies in a 60-day 
period. This activity is more popularly known as doctor shopping. Best practices that 
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we reviewed from other states set the time frame for doctor shopping at 30 days and 
include criteria for activities other than doctor shopping, like prescriber activity. Other 
states also identify other criteria for defining misuse and diversion, including suspicious 
prescribing activity. Montana has data sharing agreements to report prescription drug 
activity between neighboring states. Our tests used both the criteria in rule and best 
practice from other states. 


During our audit work, we conducted multiple tests using MPDR data which are 
described in the following sections. We used caution in conducting our test knowing 
some MPDR data is unreliable. We also acknowledge that some decisions are valid 
based on doctor-patient relationships. However, we believe there is sufficient data in 
the registry to determine if there appeared to be potential instances of misuse and 


diversion occurring. 


Issues With Unique IDs Were Identified 


Prior to testing for questionable activity, we needed to review whether ID numbers for 
patients, prescribers, and pharmacies were unique. Otherwise, a patient with multiple 
ID numbers going to multiple pharmacies might not be observable because it would 
look like different patients each time. The same would happen if prescribers did not 
have unique ID numbers as well. 


To test these [Ds for uniqueness, we reviewed the database tables with information 
specific to that ID in it, not the dispensing history. For instance, the table with 
pharmacy information in it has a pharmacy ID along with pharmacy name, address, 
and contact information. Because the table is specific to pharmacy information, there 
is no dispensing information in it. By testing these database tables for duplicate records, 
we identified three types of ID numbers that are not unique. These are discussed below. 


Patient ID Numbers: To verify the uniqueness of patient IDs, we pulled a sample 
of patients and ran tests that identified patient records appearing to be similar. Our 
sample of 9,211 patients found 738 potential duplicates. We manually reviewed each 
of these records to verify if duplicate patients existed by comparing first and last name, 
date of birth, and address. We were able to clearly identify 215 duplicate patient IDs. 


Patient ID numbers were not unique for several reasons. One is related to MPDR 
functionality being developed by the contracted vendor without input from the 
board. This issue was discussed earlier in the report. Several data entry errors were also 
identified due to misspelling names or entering incorrect or inconsistent patient birth 
dates. This resulted in several patients in the registry having multiple ID numbers 
instead of a number unique to them for all prescriptions they are issued. 


Prescriber ID Numbers: All prescribers and prescribing facilities are issued a unique ID 
number by the Drug Enforcement Administration (DEA). Prescribers have the option 
to provide either their associated facility’s DEA number or their own personal DEA 
number. We found this resulted in inconsistent data within MPDR that impacts the 
ability to count the number of prescribers for whom a patient has received prescriptions. 
When counting the number of different providers tied to a DEA number, we identified 
multiple instances where a facility DEA number was used for the prescriber ID. Due 
to this, we used a combination of prescriber fields to identify prescribers in our testing. 
This would ensure we did not miss potential doctor shopping if a patient visited 
multiple doctors using the same DEA number. 


Pharmacy ID Numbers: While reviewing prescription filling practices for data 
reliability, we identified instances where pharmacy addresses were the same for 
multiple pharmacy IDs. This indicates pharmacies do not have unique ID numbers 
either. Because the pharmacy address information is not required in reporting, this 
information is missing for some pharmacy ID numbers and we could not determine 
how many duplicate pharmacy ID numbers existed. When discussing this with 
the board, they explained that pharmacy ID numbers are tied to the owner of the 
pharmacy. Ifa pharmacy has a change in ownership the ID number changes for that 
location. This impacts the identification of the potential pharmacy shoppers or patients 
who use multiple pharmacies concurrently. It also increases the reliance on other 
pharmacy information that we determined to be incomplete in the registry. 


Potential Evidence of Patient Misuse and Diversion 


Even though duplicate ID numbers exist in MPDR, our audit work was still able 
to identify suspicious patient activity, such as potential doctor shopping. Doctor 
shopping is when someone goes to multiple medical professionals to fill or refill 
unneeded prescriptions. Administrative rule indicates misuse and diversion as a patient 
receiving four or more prescriptions of the same type of drug, or filling prescriptions 
from four or more pharmacies, within a 60-day period. Due to the amount of data 
in prescription drug registries, best practices from other states indicate reducing that 
window to 30 days. Doing this can help limit results and focus on more egregious 
activity. To understand the difference in these two criteria specific to Montana, we 
conducted analysis for suspicious activity in both a 30-day time frame and 60-day 
time frame. To test this, we used MPDR data to determine if a patient received similar 
prescriptions from four or more prescribers and filled them at four or more pharmacies 
within the allotted time. To focus the results of our analysis, we ran these test on only 
highly addictive prescription drugs within Schedule IT. 
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We ran tests that counted the number of subsequent prescriptions within the specified 
time frame for each prescription a patient received. We were then able to identify those 
greater than four and count the number of different prescribers and pharmacies that 
occurred within that time frame as well. Figure 4 (see page 39) provides an example of 
a situation we identified where potential doctor shopping might have occurred during 
the 2016-2017 time frame. Overall, we identified 4,410 patient [Ds that went to four 
or more pharmacies and four or more prescribers in a 30-day period. We identified 
8,814 patient IDs that visited four or more prescribers and pharmacies in a 60-day 

period. Figure 4 shows two examples identified in our analysis. 
¢ Patient #1 received nine prescriptions for high strength opioids from four 
different prescribers within a 30-day period. These were filled at four different 


pharmacies. When expanded to 60 days, two more prescribers were visited 
for the same type of high strength opioids. 


¢ Patient #2 received 11 prescriptions from 9 different prescribers within a 
30-day period. ‘These were filled at 5 different pharmacy locations. 


Figure 4 
Suspicious Patient Activity Analysis 





Within Within 


Doctor Shopping 30 Days 60 Days 


4 or more prescribers and 
4 or more pharmacies 4,410 © 8,814 
Patient IDs Patient IDs 


Patient #1 


Doctor # Date Days Partial/ Date Pharmacy Pharmacy 


Written BrugiName Supply ‘Full Filled # City 


Hydrocodone- 
Acetaminophen 


Hydrocodone- 
Acetaminophen 


Hydrocedon= 28 Full 4/12/17 Helena 
Acetaminophen 


4/24/17 OxyCONTIN Full 4/24/17 Spokane 
4/24/17 OxyCODONE HCI Full 4/24/17 Spokane 
4/24/17 OxyCONTIN Full 4/25/17 Spokane 
4/26/17 OxyCODONE HCI 8 Full 4/26/17 Whitefish 
4/28/17 OxyCONTIN Full 4/28/17 Spokane 
5/1/17 OxyCONTIN 6 Full 5/1/17 Spokane 


AIAI17 2 Full AIAI17 Kalispell 


4/10/17 2 Full 4/10/17 Kalispell 


4/12/17 





Patient #2 

Date Days Partial/ Date Pharmacy Pharmacy 
Doctor# Written Brug Meme Supply Full Filled # City 
12/6/16 puclegodene 2 Blank 12/6/16 1 Bozeman 

Acetaminophen 
Oxycodone- 
Acetaminophen 
Oxycodone- 
Acetaminophen 
Hydrocodone- 


Acetaminophen 
12/12/16 OxyCODONE HCl 10 Full 12/12/16 Sheridan 


4 

5 

6 12/19/16 OxyCODONE HCI Full 12/19/16 Dillon 
i 12/20/16 OxyCODONE HCI Full 12/20/16 Missoula 
8 

9 

8 

5 


12/7/16 2 Blank 12/7/16 Bozeman 


12/9/16 2 Blank 12/9/16 Bozeman 


12/10/16 1 Blank 12/10/16 Dillon 


12/22/16 OxyCODONE HCI Full 12/22/16 Dillon 


Hydrocodone- 
Acetaminophen 


1/3/17 OxyCODONE HCI 


12/29/16 





Full 12/29/16 Dillon 


1 
1 
7 

12/26/16 OxyCODONE HCI 3 Full 12/27/16 Dillon 
5 
8 


Blank 1/3/17 Bozeman 


Source: Compiled by Legislative Audit Division from Montana Prescription Drug Registry 
data. 





As noted in the figure, this example shows both patients obtaining prescriptions 
from different locations across Montana and in neighboring states within 30 days. In 
addition, Patient #1 also received two prescriptions for OxyContin, a high-strength 
pain medication, on the same day from two different prescribers. There may be 
reasonable explanations why situations like those described in the figure may occur. 
However, with the number of prescribers seen and pharmacies located across Montana 
and in neighboring states, it could be an indication of potential patient misuse and 
diversion of prescribed medications. 
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Additionally, because Montana still allows paper prescriptions, we also tested for 
potential pharmacy shopping. Pharmacy shopping is the act of visiting multiple 
pharmacies in a short period of time with the same prescription from one prescriber. 
The expectation of the test was minimal considering the growth of electronic 
prescriptions being used. We identified six patient ID numbers that took a prescription 
to four different pharmacies within 60 days. 


These potential instances of doctor and pharmacy shopping show that MPDR can 
provide evidence of suspicious activity that should be considered by prescribers and 
pharmacists prior to issuing prescriptions. The board is not currently reviewing MPDR 
data to identify suspicious activity. According to §37-7-1502, MCA, the board has the 
right to review and test MPDR data to identify potential misuse and diversion and 
possible criminal activity. However, statute is permissive and does not require analysis 
to occur. The board chooses not to be proactive by conducting these types of analyses. 


Potential Prescriber Misuse and Diversion Can 
Also Be Identified Using MPDR Data 


Prescriber misuse and diversion is the highest risk to patient and community safety 
because prescribers control what a patient is given. If the patient is receiving more than 
the recommended amount, substance abuse and addiction increases significantly. We 
used several federal and state statutes as well as best practices and guidelines to prevent 
this kind of activity in our tests. These are described below. 


Active License Test: According to §37-3-301, MCA, a prescriber is required to 
have a valid, active license to prescribe controlled substances or the prescriber faces 
misdemeanor charges. We tested whether prescribers were prescribing controlled 
substances without an active license by comparing active license information to 


prescriber data on dispensed records from November 2017. 


There may be prescribers listed in the registry that do not have a listed license in the 
Montana licensing database due to nonresidents visiting Montana and needing refilled 
prescriptions. The nonresident’s doctor would be listed, but would not have an active 
Montana license number. However, those types of prescribers would be limited and 
are not easy to identify in MPDR data because prescriber location information is not 
captured. 


If rule reporting requirements were followed, we would have been able to identify 
out-of-state prescribers and remove them from this test. Instead, we reviewed the 
amount of dispensing records each provider had within the one month. Ifa prescriber 
was out-of-state, it would be reasonable for prescriptions to be filled when the prescriber 
was close to a state line or a patient was on vacation in Montana and needed a refill. We 


found multiple prescribers with over 50 fills or refills of prescriptions in one month. 
Because we do not have prescriber location, we cannot verify these occurrences are 
valid exceptions. 


Days of Supply Test: According to §37-20-404, MCA, Schedule II substances are not 
to be prescribed by a physician assistant for more than a 34-day supply due to being 
highly addictive and dangerous. For prescribers that we could identify a license type 
for, we separated the physician assistants and reviewed the days of supply dispensed on 
the prescription record. 


Prescribing Dangerous Combinations Test: Recent suspicious prescribing patterns 
include prescribers authorizing dangerous combinations of drugs. According to federal 
recommendations, high risk lies with prescribing benzodiazepines (benzos) and 
opioids concurrently. While this may still be an acceptable practice, patients prescribed 
both are more likely to become addicted to or die from an overdose even if taking 
them for a medically-appropriate reason or prescribed amount. Overlapping benzo and 
opioid prescriptions could be a sign of suspicious prescription drug use or suspicious 
prescribing practices. 


We analyzed prescriptions for Schedule II drugs during 2016-2017 to see if a patient 
was prescribed a benzo while also taking an opioid, either by the same or different 
prescribers. Using the days of supply indicated on the record and the date it was filled, 
we calculated a date range for the prescription. We were then able to identify if any 
other prescriptions for benzos or opioids were prescribed during that date range. For 
example, if Prescriber #1 prescribed a benzo on January 1 with 21 days’ supply, we 
would be able to identify if that patient received an opioid between January 1 and 22, 
indicating inappropriate prescribing activity. Through the testing we also identified 
instances where the patient received an opioid, but then the patient went to another 
prescriber to get a benzo. This example shows where MPDR can provide useful and 
valuable information to Prescriber #2 about other medications the patient is taking. 


Testing MPDR data for the scenarios described above identified suspicious provider 
activity: 
¢ Using licensing information from DLI’s licensing database, we found over 


2,000 prescribers who wrote prescriptions without an active license in 
November 2017. 


¢ — 152 physician assistants were in violation of §37-20-404, MCA, by prescribing 
Schedule II drugs for over a 34-day supply. 


¢ Over 4,000 patients received dangerous combinations of drugs. Two-thirds 
of the prescribers involved were not the same prescriber that issued the initial 


drug. 
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Figure 5 
Suspicious Prescriber Activity Analysis 





Eas : : Fi Physician Assistants Prescribing more 
Prescribing Without an Active License 
li rrpeor 2017 than 34-day supply of Schedule II Drug 


in November 2017 
36,254 Prescriptions 
issued by... 152 Physician Assistants 


2,350 Prescribers 2 prescribed over 34-day supply 


225 Prescribers had L 
over 50 fills within 


November 1) 
— 7,734 2% 


660 Prescribers Physician 
had 6 to 49 fills Assistants TOTAL 


within November 
1,465 Prescribers had 1 to 


5 fills within November 


ed cx-Xea | ollaye Mm PL-Lale(-1 elt lm exelunle)iat-licel atm (=1-11y4es-M-1ale MO] ol (o)(el-) Mehd-1 wy-e'/-1-1m el-La (ole | 


& 4,163 Patients Received Dangerous Combinations 


From 3,382 Prescribers... 2,018 


And @ 
C= (<4) 
td “ay 
Prescribed both Prescribed one when 


drugs another prescriber 
issued the other 


Source: Compiled by Legislative Audit Division from Montana Prescription Drug Registry 
data. 





Suspicious Activity Needs to Be Defined and 
Reviewed to Improve Patient Safety 


‘The board faces many challenges in addressing misuse and diversion of controlled 
substances. Many of the issues we identified, such as duplicate patients, are common 
nationally. However, we found other states are attempting to address misuse and 
diversion to improve patient safety through analysis of prescription data. Statute 
requires the board to collect prescription information and allows them to review the 


data for misuse and diversion. The board can make improvements and implement 
mechanisms to help address suspicious prescription drug activity in Montana. 


The results of our analysis may have many reasons for occurring, including bad data 
entry, medical staff not reviewing prescription data prior to prescribing, limited 
education and awareness of prescription rule and law, unclear or unestablished 
definitions of suspicious behavior, or actual patient/prescriber misuse and diversion. 
The ability to identify patterns and trends would help pinpoint problems so the board 
and other entities can start developing meaningful and effective ways of preventing 


misuse and diversion. 


Because MPDR data is not reviewed, patient safety and public health is not completely 
protected. The board has the authority to review the data and identify issues to improve 
patient safety. Procedures need to be established to ensure it is not held accountable if 
a litigation situation were to occur. 


SSS 


RECOMMENDATION #7 





We recommend the Department of Labor and Industry work with the Board 
of Pharmacy to protect patient safety and public health by developing and 
implementing data analysis tools and procedures to identify and address 
potential misuse and diversion of prescription drugs using Montana 
Prescription Drug Registry data. 
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Chapter VI — Montana Prescription Drug 
Registry Direction and Resources 


Introduction 


The Board of Pharmacy (board) is required by $37-7-1502, MCA, to manage and 
maintain the Montana Prescription Drug Registry (MPDR). However, as discussed 
in previous chapters we identified several ongoing management issues related to the 

maintenance of the registry since its inception. These issues include: 
¢ Unestablished management procedures and responsibilities leading to 
contract weaknesses, project delays, unusable functionality, and limited 


ability of the board to implement new functionality required within the 
industry. 


¢ Delayed completion of system functionality needed to comply with statute 
and rule. 


¢ A lack of necessary procedures to help identify MPDR security weaknesses. 
¢ Data integrity weaknesses impacting the usability and effectiveness of the 
registry. 


¢ Minimal reviews of MPDR data that would identify potential inappropriate 
or illegal prescription drug activity to help improve patient safety. 


While our previous recommendations discuss the need to establish various procedures, 
increase system functionality, and clarify staff responsibilities, there are primary 
causes consistent with the findings to be addressed: coordination between invested 
stakeholders, like Department of Justice (DOJ) and Department of Public Health 
and Human Services (DPHHS), and limited resources allocated within the board to 
effectively manage the registry. These foundational changes need to be addressed for 
the Department of Labor and Industry (DLI) and the board to effectively maintain a 
reliable prescription drug registry. 


Coordination of Resources Is Needed to 


Support Management of MPDR 


MPDR is currently managed by one full-time DLI staff (funded by the board) and 
the board’s executive officer who oversees the staff member. The administrative staff 
member is required to manage all aspects of the registry. This includes managing the 
MPDR vendor contract, monitoring MPDR system development, overseeing security 
of personal health information (PHI), managing system maintenance, providing 
customer support, managing MPDR users, and ensuring accuracy, integrity, and 
security of prescription data. Throughout our audit, we found many of these duties 
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were not prioritized due to completing other important tasks required to keep the 
registry up and running. These other tasks included: 


¢ Budget monitoring and planning for future enhancements and changes to 


MPDR. 


¢ Updating documentation to ensure MPDR procedures and guidelines are 
current and defined. 


¢ Researching and documenting workarounds for partial functionality so 
users can complete necessary tasks within the registry. 


¢ Maintaining professional development to ensure MPDR is in alignment 
with other states to help Montana keep current with national prescription 
drug monitoring best practices. 


¢ Web updates allowing users and stakeholders a centralized location for 
MPDR information and a portal for registry access. 


¢ Conducting compliance audits that serve as the board’s only audit tool for 
ensuring pharmacies are reporting prescription data. 


¢ Developing a request for proposal (RFP) to implement a new prescription 
drug registry. 


Based on information systems best practices and industry standards, several positions 
should be charged with contract and project management of information systems. 
In addition, dedicated security specialists and trained technical support staff are also 
required. These duties are typically performed by separate individuals trained specifically 
in these areas to ensure effectiveness and compliance with policy, law, and national 
information technology (IT) standards. However, these responsibilities for managing 
MPDR are all placed within one DLI position description and staff member. We found 
the DLI staff member has limited training in several areas including security of PHI, 
contract management, and IT project management. The position description also does 
not require knowledge or experience in these specific areas, but only a knowledge of 
the principles and practices of information systems. We also found the staff’s position 
description assigns the position to a DLI unit that no longer exists. Based on this, we 
believe neither the board nor department have reviewed or considered what skills or 
resources are necessary to ensure MPDR is properly managed. 


When reviewing other state agencies with systems similar to the registry, we found 
most have several full-time staff allocated to system management and administration. 
This includes contract management, project management, security, and operation 
support such as technical assistance. While structures for how agencies decide to 
use staff may vary, our work represents examples of how multiple full-time staff are 
needed to effectively manage IT systems. Most often, we found contract and security 


management resources are shared among various systems within an agency. Some 
examples are provided below: 


¢ DLI has a specialized security officer within its Technical Services Division 
(TSD) to assist other divisions with system security management. 


¢ Security of tax data is managed by an office of three full-time staff within 
Department of Revenue. 


¢ DPHHS has four full-time staff dedicated to information security for the 
department and five full-time staff dedicated to and specialized in project 
management. 


¢ Most agencies have multiple, dedicated contract management officers. 


After discussing management findings with the DLI, TSD assigned a project manager 
to assist with future project development. 


Limited Resources Impacted MPDR 
Planning and Management 


The DOJ initially brought forward HB83 during the 2011 Legislative Session to 
create the registry, but registry oversight was assigned to the board instead of instead 
of DOJ. To help with MPDR implementation, the board received input from 
stakeholders. However, due to decisions by the board and DLI to move forward with 
core functionality requested by users, the registry was launched without all authorized 
functions in place. These initial decisions created resource limitations for MPDR and 
delayed adding new enhancements to the registry. The board and DLI have begun 
coordinating resources to address these issues. 


Board officials also believe a new system could improve, reduce, or eliminate issues that 
currently exist with MPDR. While this may reduce time spent on system maintenance 
and manual work, it is unlikely to address weaknesses currently being experienced with 
MPDR. ‘This is because expertise in specific areas, such as MPDR security, contract 
management, oversight of project implementation, etc. is required to properly manage 
MPDR, whether it develops a new system or continues to make improvements to the 
existing registry. The board and DLI need to analyze how to best leverage department 
resources to ensure MPDR is implemented and managed appropriately. This includes 
areas such as security, project implementation, and contract management. They 
also need to formally analyze what resources are needed to ensure the effectiveness, 
security, and cost-efficiency of the system, including if it already has resources available 
that could be redirected to meet MPDR management needs. This analysis should also 
be considered as part of the ongoing RFP development for a new prescription drug 
registry. An RFP should not be issued until a formal resource needs assessment is 
completed and the department and board know what resources are needed to properly 
manage the registry. 
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RECOMMENDATION #8 





We recommend the Department of Labor and Industry and the Board of 
Pharmacy: 


A. 


B. 


Conduct a formal analysis to determine the resources needed to 
properly manage the Montana Prescription Drug Registry. 


Complete this analysis before a request-for-proposal for a new 
prescription drug registry is issued. 


ae 


Advisory Group Established to Help 
Direct MPDR Operations 


During the 2011 Legislative Session, a prescription drug advisory group was 


created as part of the legislation creating the Montana Prescription Drug Registry. 


Section 37-7-1510, MCA, requires the board to establish an advisory group to provide 


information and advice regarding registry development and operation. This includes, 


but is not limited to: 


Sa 


Criteria for reporting information from MPDR to pharmacists and 
prescribers. 


Design and implementation of registry educational courses. 
Standards for evaluating registry effectiveness. 


Administrative rules for establishing and maintaining the registry. 


This law also requires the advisory group to be comprised of a variety of representatives 


including: 


od 


Health care licensing boards that oversee healthcare providers who have the 
authority to prescribe or dispense drugs. 


Associations that represent healthcare professionals who have authority to 
dispense or prescribe drugs. 


Associations that advocate for patients. 
Entities involved in tribal health services or issues. 


The Department of Justice. 


Section, 37-7-1510, MCA, also allows the advisory group to identify other individuals 
to be appointed to the group. The law places responsibility for establishing rules for 


conducting advisory group business on the board. Administrative Rule 24.174.1711 


states the group shall establish policies and procedures to carry out duties as well as 
meet at least annually. 


We found other states also use advisory groups, boards, or councils to help manage 
and make decisions on the effectiveness and progress of their respective prescription 
drug registries. States with advisory boards have representatives from health care 
organizations, law enforcement, and representatives from the legislature. These 
advisory committees serve several purposes including providing guidelines and advice 
on operations and management over prescription drug programs. Other tasks include 
analyzing progress made toward reducing prescription drug abuse, development of 
strategic plans, and developing criteria for reviewing data, and reporting matters for 
further investigations. 


More Direction on the Management of MPDR 
Is Needed From Advisory Group 


According to the DLI, the advisory group was formed at initial development to ensure 
user business needs were met. The group met sporadically from 2011 to 2016 while 
the system was being developed, after implementation, and through major system 
changes. During our audit work, we determined the advisory board had not met since 
2016 because new enhancements to the registry had not been made. This meeting 
was limited to providing the group with high level updates on MPDR statistics, an 
overview of recent implemented functionality, administrative rule changes, updated 
policy and procedure documentation, and general program updates. According to 
board officials, they are still working on initial suggested changes and decisions made 
by the advisory group. Based on our work, we do not believe the advisory group has 
established ongoing evaluation of the effectiveness of the registry. 


The prescription drug registry advisory group has not actively met to discuss registry 
deficiencies, registry concerns among stakeholders, operational issues, and strategic 
plans on how to better address patient safety. The board has not developed the rules 
to require and enforce consistent group meetings, which resulted in a lack of direction 
to effectively maintain a registry that is up-to-speed with industry standards and 
trends. These advisory group meetings are needed to establish ongoing direction and 
improvement, which also includes consideration, prioritization, and implementation of 


stakeholder recommendations. 
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Senate Joint Resolution 20 Recommended 


Registry Enhancements 


Senate Joint Resolution 20 (SJR 20) was passed by the 2013 Legislature and authorized 
a study to address ways to reduce prescription drug abuse. The Legislative Council 
assigned the study to the Children and Families Committee and was mandated in part 
to review registry funding and functionality. The study was completed in 2014 and 
provided a list of proposed enhancements to the registry. The SJR study recommended 
the following features be added to the registry: 


¢ Enter comments on patients. 

¢ — Integrate medical marijuana information. 

¢ Allow unsolicited reporting for several patients. 

¢ — Allow scheduled queries on patient information and prescription data. 
¢ Require real time/daily reporting. 

¢ — Linking electronic health records and profiles with MPDR. 


¢ Additional reporting requirements/options. 


The study also estimated an additional $390,000 was needed above the original 
$500,000 that was authorized to implement this additional functionality and maintain 
the registry through 2015. 


During our audit work, two recommendations from the SJR 20 study were 
implemented though an administrative rule change and the enactment of Chapter 130 
of the 2019 Legislative Session. Changes made related to improving prescription drug 
reporting and linking to electronic health patient profiles used by medical professionals. 
Administrative Rule 24.174.1704 recently changed the MPDR reporting requirements 
from eight days to one day. Section 37-7-1506, MCA, was modified to establish the 
requirement for linking electronic medical records with prescription drug history. 


Following the SJR 20 study and its recommendations to improve MPDR functionality, 
the prescription drug registry advisory group instead had to focus on improving 
existing functionality to get the basic business needs implemented for front end users, 
such as doctors and pharmacies, because they were not yet fully operational. As a 
result, the recommended functionalities from the SJR 20 study were not prioritized or 
implemented. According to board officials, some of the proposed functionality is not 
feasible. The prescription drug advisory group has not provided the board guidance 
on implementation of feasible MPDR functions, if a new prescription drug registry is 
necessary, or potential resource needs to effectively manage the registry. 


Prescription Drug Registry Advisory Group Could 
Provide Ongoing Guidance on the Registry 


We believe that without input and direction from the prescription drug registry 
advisory group, MPDR has not been properly managed. Had the advisory group 
established policies and procedures defining the role of the group, it could have 
served as a resource to the board in management, oversight, and future direction of 
the registry. We identified several areas where the advisory group could have been a 
resource to the board. Examples include: 
¢ ‘The board is developing an RFP for a new prescription drug registry. The 
advisory group could provide guidance on development of a new system to 
ensure all stakeholder needs are met and a new system runs as effectively as 


possible. 


¢ — Providing input on best practices on how the registry can best serve the state 
and the public and guidance/expectations related to security governance, 
contract management, project management, and ensuring the intent of the 
registry is met. 


¢ — As prescription drug abuse tactics change, the advisory group could review 
current operations of the registry to determine where enhancements and 
changes might be needed to address changing risks. 


¢ There are multiple resources already available within DLI to address 
constraints. The group can advise ways to meet the needs of the registry now 
and plan for the resource needs of the registry in the future. 


The prescription drug registry advisory group includes a variety of stakeholders 
with an interest in ensuring proper oversight of prescription drugs. Because of this, 
its involvement in development and operation is critical. However, advisory group 
involvement has been sporadic at best, and it has not met in three years. The board 
has not actively sought to engage the prescription drug registry advisory group to assist 
with MPDR oversight. 


We found other states have actively engaged prescription drug advisory groups to help 
provide guidance to pharmacy boards regarding their drug registries. For example, 
Oregon uses an advisory commission and they meet quarterly to discuss developing 
criteria for evaluating prescription drug data and making recommendations to 
health authorities regarding the operation of the program. We believe Montana’s 
prescription drug advisory group could aid the board regarding MPDR operations and 
development. We also believe the advisory group would benefit defining prescription 
drug misuse and diversion. Currently, prescription drug misuse and diversion are not 
clearly defined in either law or rule. The only definition is found in Administrative 
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Rule 24.174.1706 stating the following factors are “suggestive” but not conclusive 


evidence of misuse or diversion: 
¢ Four or more prescribers in a 60-day period, or 


¢ Four or more pharmacies in a 60-day period 


One main purpose of MPDR is to identify misuse and diversion of prescription drugs 
and a lack of clarity on what misuse and diversion is limits the usefulness of the registry 
and can impact patient safety. Similar to how Oregon’s commission provides guidance 
and defines misuse and diversion, more specific definitions regarding misuse and 
diversion are needed to increase patient safety and registry effectiveness. Montana’s 
prescription drug registry advisory group should be providing similar guidance and 
defining what specifically constitutes misuse and diversion. 


Prescription Drug Registry Advisory Group 
Requires More Frequent Meetings, Inclusive 
Membership, and Transparency 


It is important the board get the prescription drug advisory group involved in 
registry oversight to receive proper guidance on the registry. This includes ensuring 
membership includes all possible stakeholders, establishing regular ongoing meetings, 
and establishing a clear vision of what the board needs from the advisory group. State 
law allows stakeholders other than those specifically listed to be part of the prescription 
drug advisory group. The board should look at expanding the advisory group to include 
other stakeholders who could have input regarding MPDR and how it best serves the 
public need. Administrative Rule 24.174.1711 includes legislators as part of advisory 
group membership and this provides an important public policy perspective. However, 
examples of other membership could include local law enforcement or members of the 


public. 


Administrative rule requires the Prescription Drug Registry Advisory Group to 
develop policies and procedures necessary for them to carry out their duties. However, 
the board has also not engaged the group to develop policies and procedures. This has 
resulted in few meetings occurring between the advisory group and the board. More 
involvement and interactions between the board and the advisory group would help 
alleviate the weaknesses we identified related to MPDR, including a lack of a clear 
definition regarding misuse and diversion of prescription drugs. Finally, increasing 
activities and interactions between the board and the advisory group also increases 
the necessity of transparency regarding the business they are conducting and decisions 
being made regarding MPDR activities. By increasing group activity, discussions 
regarding the resources allocated to the registry can occur, including assessments of 


whether the registry should be housed within the board. This would also allow them 
to provide additional information in current usage reporting such as MPDR activities, 
changes, and prescription drug use in Montana. 


SSS 


RECOMMENDATION #9 





We recommend the Board of Pharmacy work with the Prescription Drug 
Advisory Group to: 


A. Establish formal policies and procedures regarding business processes 
that include regular, ongoing meetings. 


B. Expand advisory group membership to include other stakeholders 
important to prescription drug evaluations and discussions. 


C. Revise and update administrative rule to better define potential misuse 
and diversion thresholds to improve patient safety. 


| 
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May 31, 2019 RECEIVED 


Angus Maciver JUN 0 4 2015 
Legislative Auditor . 
Legislative Audit Division LEGISLATIVE AUDIT DIV. 
PO Box 201705 


Helena, MT 59620-1705 


Subject: Information Systems Audit #18DP-01 of the Montana Prescription Drug Registry; 
Montana Board of Pharmacy and Montana Department of Labor and Industry 


Dear Mr. Maciver: 


The Department of Labor and Industry has reviewed the 2019 Report of the Information Systems 
Audit conducted regarding the Montana Prescription Drug Registry (MPDR). The Department 
would like to thank your audit staff for their review. As a Department we are always looking for 
ways to improve and we appreciate the efforts of others to help assure we are providing quality 
services with the best accountability possible. Our responses to the audit recommendations appear 
below. 


Recommendation #1 


We recommend the Department of Labor and Industry regularly coordinate with the Board 
of Pharmacy to establish, follow, and enforce project and contract management procedures 
to include: 


A. Definitions for communication expectations and responsibilities, 
B. Management of project changes and enhancements, and 
C. Adherence to state procurement standards. 


Response: The Department concurs with the recommendation. The Department agrees that 
adherence to standard procedures and best practices for IT system contract management required 
improvement during the first years of the MPDR timeline. LAD correctly notes the Department is 
now following standard procurement processes and procedures and is leveraging Department and 
State resources to do so. More specifically, beginning in 2015 through the present, multiple 
changes have been made to improve procurement and project management and oversight: 


1. Department and vendor representatives, as well as program staff now meet 
monthly to discuss timelines, contract issues, and next steps. 
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2. The Business Standards Division (BSD) assigned a Business Systems Analyst to 
assist with MPDR project management and any necessary coordination with the 
Department's Technology Services Division (TSD) in August 2015. 

3. TSD assigned an IT project manager to the MPDR project/system in July 2015. 

4. Future projects will use documents which adhere to and enforce state 
procurement standards and best practices. 2017-2019 Department of 
Administration Delegation Agreement. 

5. MPDR project management and contract performance are a standing agenda 
item on monthly Business Standards Division (BSD)/TSD planning and 
operations meetings. 


Recommendation #2 
We recommend the Department of Labor and Industry and the Board of Pharmacy: 


A. Work with Department of Public Health and Human Services to immediately and 
permanently destroy or deidentify prescription drug data older than three years. 

B. Develop a data destruction and retention plan to ensure destruction of shared 
prescription drug data. 


Response: The Department concurs with the recommendation. The Department of Public Health 
and Human Services (DPHHS) confirmed in March of 2019 that it deleted all individually 
identifiable MPDR data in October of 2018. In addition, the data transfer memorandum of 
understanding (MOU) with DPHHS is being amended to specifically direct the timeline for 
destruction of the identifiable data older than 3 years for subsequent transfers of MPDR data. The 
Department will finalize the amended MOU by June 2019. 


Recommendation #3 


We recommend the Department of Labor and Industry work with the Board of Pharmacy to 
develop a governance structure and implement a security plan for the Montana Prescription 
Drug registry that: 


Defines the security responsibilities, 

Requires annual risk assessments, 

Mitigates significant security risks as identified, and 
Ensures compliance with HIPAA security rules. 


SOR PS 


Response: The Department concurs with the recommendation. The Board, Department, and the 
State Information Technology Services Division (SITSD) understand the importance of ensuring 
appropriate security of the system in coordination with the vendor. The Department agrees that 
MPDR data security can be strengthened by implementing a HIPPA compliant security plan which 
documents current procedures and implements additional procedures as necessary. The 
Department engaged expertise to complete a risk assessment of the MPDR system. This assessment 
follows the NIST 800-53 and 800-60 guidelines and standards utilizing the risk management 


COMMISSIONER'S OFFICE 


“Me Montana Department of A3 


gy LABOR & INDUSTRY 


framework. This includes completion of the System Security Plan (SSP) which includes a 
governance structure, a Plan of Action and Milestones, and an assessment of the access control 
families. The Department will complete the plan by June 2019. DLI will continue to apply the risk 
management lifecycle processes on an annual basis. 


Recommendation #4 


We recommend the Department of Labor and Industry coordinate with the Board of 
Pharmacy to: 


A. Establish a process to enforce review of Montana Prescription Drug Registry delegate 
users. 

B. Develop and implement procedures to review administrative and vendor user 
activity. 


Response: The Department concurs with the recommendation. As LAD notes and as discussed in 
the response to Recommendation #8, the Department anticipates moving to a new system platform 
for the MPDR. Among other improvements, review of MPDR delegate users will be included in the 
system requirements for the new platform. Stronger enforcement of delegate relationship review 
and renewal will be required at certain timelines of the prescriber or pharmacist who delegated 
search authority. This change will also enhance review of administrative and vendor users. In 
addition, the final SSP will require review of administrative and vendor user activity. 


Recommendation #5 


We recommend the Department of Labor and Industry work with the Board of Pharmacy to 
implement formal procedures to ensure validation and quality assurance of Montana 
Prescription Drug Registry data. 


Response: The Department concurs with the recommendation. The Department agrees that 
development and use of enhanced system functionality will improve the quality and integrity of 
MPDR data as reported to the MPDR system by pharmacies dispensing controlled substance 
prescriptions. As discussed in the response to Recommendation #8, the Department anticipates 
moving to a new system platform for the MPDR. The Department will include enhanced data 
validation and quality assurance functionality in the system requirements for the new platform. In 
order to determine what data validations will best support the purpose to protect public health, the 
Department will work with its customers who use the MPDR and with the Advisory Group 
discussed in Recommendation #9. The Department will follow best practices to determine what 
types of data validation will follow best practices to achieve quality assurance. 


Recommendation #6 


We recommend the Board of Pharmacy follow administrative rule by requiring all data 
elements in pharmacy reporting be included in the Montana Prescription Drug Registry. 
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Response: The Department concurs with the recommendation. The Department agrees that 
usefulness of the MPDR data can be improved through system functionality which ensures the 
prescription data reported by pharmacies includes all data elements required by administrative 
rule. As mentioned in Recommendation #8, the Department anticipates moving to a new system 
platform for the MPDR. The Department will include functionality which better ensures the 
collection of all currently required data elements in the system requirements for the new platform. 
The Board will also consider a rule change to require use of the updated version of the ASAP 
standard for pharmacy reporting at the July 19, 2019 meeting. A new platform will also enable new 
required data elements supported in the updated ASAP standard. 


Recommendation #7 


We recommend the Department of Labor and Industry work with the Board of Pharmacy to 
protect patient safety and public health by developing and implementing data analysis tools 
and procedures to identify and address potential misuse and diversion of prescription drugs 
using Montana Prescription Drug Registry data. 


Response: The Department concurs with the recommendation. The Department believes the 
MPDR has been and continues to be a useful tool to protect public health. The Department agrees 
the usefulness of MPDR data can be improved through the development of system functionality 
which automates the analysis of MPDR data. The Department anticipates moving to a new system 
platform which will include functionality that identifies and reports activity meeting pre- 
determined criteria and thresholds in the system requirements for the new platform. Such reports 
will include unsolicited reporting to prescribers and pharmacists, de-identified data for research 
and analysis, and improved statistical analysis. The Department and the Board will also engage the 
Advisory Group on such efforts. 


Recommendation #8 
We recommend the Department of Labor and Industry and the Board of Pharmacy: 


A. Conduct a formal analysis to determine the resources needed to properly manage the 
Montana Prescription Drug Registry. 
B. Complete this analysis before a request-for-proposal for a new prescription drug 


registry. 


Response: The Department concurs with the recommendation. The Department will analyze the 
operation /oversight of the MPDR and determine the additional resources needed. As LAD notes, 
the Department anticipates moving to a new system platform for the MPDR. Prior to determining 
requirements for a new platform, the Department will define what elements should be in place for 
successful management of the MPDR, to include staff expertise, leveraging of other 
Department/Statewide resources, and management/security governance structure. The 
Department notes that any analysis of resource needs must consider both staffing levels and the 
funding structure. Currently, the statutory funding structure of the MPDR rests on licensing fees 
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paid by health care providers. Any resource decisions regarding this program must take into 
consideration this structure. The Department does not support significantly increasing fees on 
providers. The Department will complete this review by August 2019. 


Recommendation #9 
We recommend the Board of Pharmacy work with the Prescription Drug Advisory Group to: 


A. Establish formal policies and procedures regarding business processes which include 
regular, ongoing meetings. 

B. Expand advisory group membership to include other stakeholders important to 
prescription drug evaluations and discussions. 

C. Establish clear definitions of misuse and diversion of prescription drugs and update 
definitions in administrative rules. 


Response: The Department concurs with the recommendation. The Department agrees input from 
the Prescription Drug Advisory Group is critical to management of the MPDR and will continue to 
seek their input. A specific agenda item to facilitate discussion of this recommendation has been 
placed on the agenda for the July 19, 2019 Board of Pharmacy full board meeting. 


In closing, the Department of Labor and Industry expresses our appreciation to the Board of 
Pharmacy and department personnel for their cooperation and assistance during the audit process; 
and to the Legislative Audit personnel for their diligence in exploring a broad and complex topic. 
As a Department we continually strive to improve our systems and processes as information and 
technology evolve. The MPDR is just one of the tools used by the State of Montana to protect 
patient safety and public health; and to help reduce misuse and diversion of controlled substances. 
As the auditors noted, in conjunction with other tools and the MPDR becoming functional in 2012, 
overdose deaths in Montana have decreased from 2006 to 2016 as national trends sadly trend 
upwards. DLI looks forward to working with legislators, MPDR stakeholders and citizens to 
continue to improve and maximize the potential of this tool; which in the end benefits all 
Montanans. 





Commissioner 
Department of Labor and Industry 


CC: Todd Younkin, BSD Administrator 
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